The breath of the dead horse is a security problem in PHP due to missing http protocol knowledge of the majority of PHP developers.
Let me show you why...
This is common PHP code you will find similar in nearly 90% of all PHP applications. Even a lot of new enterpise PHP software shows this kind of source code.
Lets say we have a website located at "http://security.local"
and a file called "header.php" with the following content:
So what is the problem in here?
Nothing if you point your common browser to the URL ( "http://security.local/header.php") .
The PHP script will match at the first condition and is sending an http header with status 302 to your browser.
HTTP/1.x 302 means "Moved Temporarily".
Thus your browser will redirect you to "http://security.local/index.php" as the php sourcecode above clearly shows.
So we can keep this fact:
All common browsers will interpret the 302 moved header and load the new url of the moved object automatically. Thus the user will not see everything else behind the header location redirect.
But what if someone is able to make his browser ignore or skip header redirects? What happens then? How to ignore http redirect headers sent by php "header('location:') " for example?
Well see yourself. I am calling the same url from above example again but this time with "curl" which by default ignores http redirects:
As you can see the PHP script is still executed even after the "redirect". A header redirect does not stop the PHP Script it just tells the client browser how he "should" react now!
Even if your Browser redirects you after you received this header and thus you cant see ADMIN PANEL from the example above .... the PHP Script will still be executed.
Lesson learned:
Always do an "exit()" or "die()" after PHP header redirects to make sure the user does not see or use something he is not allowed to do nor the script continues running in backrgound!
Oh and about the dead horse... It is realy nearly dead now!
Posts
0 comments:
Post a Comment