Maxim Dsouza Maxim Dsouza - 1 month ago 13
PHP Question

Session Check bypassed vulnerability

We have a php page which is the admin section of the website. It is used to perform some update actions on the database. The code looks like follows

session_start();
if (!isset($_SESSION['somevariable']) )
{
header("Location:loginpage.php");
}



$id=$_GET['somevariable];
$sql = "UPDATE sometable SET somecolumn='' where someothercolumn=?";
$stmt = $con->prepare($sql);
$stmt->bind_param('s',$id);
$stmt->execute();


What we have noticed is there has been some vulnerability and this piece of code seems to be running from an unknown source at a periodic interval(5 seconds), which doesnt seem like someone has the password for the admin section and is running the actions manually.

We would like to know can a hacker bypass this login check and execute the rest of the code without having the password? Any insights into the vulnerability in the above piece of code will be helpful. Thanks in advance

Answer

I saw two vulnerabilities:

1) CSRF (using variable directly from get method )

2) Exit not used after calling header function

Correct code should be like this:

<?php
header("Location: http://www.example.com/"); /* Redirect browser */

/* Make sure that code below does not get executed when we redirect. */
exit;
?>

See php.net document Link

Comments