CWE-698 重定向后执行(EAR)
Execution After Redirect (EAR)
结构: Simple
Abstraction: Base
状态: Incomplete
被利用可能性: unkown
基本描述
The web application sends a redirect to another location, but instead of exiting, it executes additional code.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 705 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 670 cwe_View_ID: 1000
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Other', 'Confidentiality', 'Integrity', 'Availability'] | ['Alter Execution Logic', 'Execute Unauthorized Code or Commands'] | This weakness could affect the control flow of the application and allow execution of untrusted code. |
检测方法
Black Box
This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss.
示例代码
例
This code queries a server and displays its status when a request comes from an authorized IP address.
bad PHP
$requestingIP = $_SERVER['REMOTE_ADDR'];
if(!in_array($requestingIP,$ipWhitelist)){
$status = getServerStatus();
echo $status;
...
if(!in_array($requestingIP,$ipWhitelist)){
echo "You are not authorized to view this page";
http_redirect($errorPageURL);
}http_redirect($errorPageURL);
$status = getServerStatus();
echo $status;
...
This code redirects unauthorized users, but continues to execute code after calling http_redirect(). This means even unauthorized users may be able to access the contents of the page or perform a DoS attack on the server being queried. Also, note that this code is vulnerable to an IP address spoofing attack (CWE-212).
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2013-1402 | Execution-after-redirect allows access to application configuration details. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1402 |
| CVE-2009-1936 | chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1936 |
| CVE-2007-2713 | Remote attackers can obtain access to administrator functionality through EAR. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2713 |
| CVE-2007-4932 | Remote attackers can obtain access to administrator functionality through EAR. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4932 |
| CVE-2007-5578 | Bypass of authentication step through EAR. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5578 |
| CVE-2007-2713 | Chain: Execution after redirect triggers eval injection. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2713 |
| CVE-2007-6652 | chain: execution after redirect allows non-administrator to perform static code injection. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6652 |