0

I am working on an existing website, looking for security issues. Is it safe to say that a PHP script aborts after the browser is redirected away or can a crafty user somehow force the script to continue. Assume "is_logged_in" returns 1 or 0 if the user is currently logged in. Assume there are no vulnerabilities in this function. The code is as follows:

<?
$fp = fopen("./debug.txt", "a");
fwrite("BEFORE LOGIN CHECK\n");

if(!is_logged_in()) {
         fwrite("Not authed \n");
         header("Location: $url", TRUE, 302);
}
fwrite("Passed auth check \n");
/* Code to do some logged in functionality here */
?>

Using a normal browser with a logged in user I get

BEFORE LOGIN CHECK
Passed auth check

with a not logged in user I get

BEFORE LOGIN CHECK
Not authed

Is it possible to hold the script open (and ignore the redirect), using raw requests so that I get

BEFORE LOGIN CHECK
Not authed
Passed auth check

Essentially go into the if block, get the redirect header, ignore it, and have the script continue executing.

If not I would correct the issue by doing:

if(!is_logged_in()) {
         fwrite("Not authed \n");
         header("Location: $url", TRUE, 302);
         die();
}

But I'm not sure if this is even an issue.

user2072710
  • 77
  • 1
  • 7

3 Answers3

2

Correct, you need to use exit(); or die(); after that header to stop PHP from executing.

By using header() you are simply setting a single HTTP header, which to PHP means nothing. You can set header('X-CHEESE', 'cheddar'); and it's going to execute that fine, then carry on with the processing.

The die you used will tell PHP to stop executing, then the browser will take over, so when it spots the Location: it will go to the URL provided.

Phil Sturgeon
  • 30,637
  • 12
  • 78
  • 117
0

If you don't exit; after the header then the script should continue to run.

I have used this before when sending HTTP 200 to the client, and content-length: 0. So the client doesn't do anything, and PHP continues executing.

Mr_Tom
  • 11
  • 3
0

The header method doesnt end the script execution, so the user would get a redirect header, but the rest of the script would still execute (and this is dangerous).

Either die() or exit your code after the redirect.

EDIT:

After a test with the following code:

$fp = fopen("debug.txt", "a");
fwrite($fp,"BEFORE LOGIN CHECK\n");

if(true) {
         fwrite($fp,"Not authed \n");
         header("Location: index.php", TRUE, 302);
}
fwrite($fp,"Passed auth check \n");
fclose($fp);

Changing the value inside the if to false appends this to the debug.txt file:

BEFORE LOGIN CHECK
Passed auth check

Changing it to true appens this to debug.txt:

BEFORE LOGIN CHECK
Not authed 
Passed auth check
cernunnos
  • 2,766
  • 1
  • 18
  • 18
  • How come debug.txt is not getting to "Passed auth check". The script does appear to be terminating. – user2072710 Mar 19 '13 at 14:39
  • That is strange, i have to test this behaviour, in theory you would have to exit the script, ill test it and get back to you – cernunnos Mar 19 '13 at 14:42
  • Tested it and header does not interrupt execution, also, your fwrite needs to get the file pointer as first parameter: fwrite($fp,"lala") – cernunnos Mar 19 '13 at 14:46