Execution After Redirection - School Dormitory Management System

May 11, 2022

Product School Dormitory Management System
Product Link Link
Vulnerability Execution After Redirection
Severity Critical

Overview

Execution After Redirect (EAR) is an attack where an attacker ignores redirects and retrieves sensitive content intended for authenticated users. A successful EAR exploit can lead to complete compromise of the application.

If an user is not authenticated to the application, it will redirect that user to the login page. The redirection is performed by adding a Javascript code in the beginning of the response body. However, the full page is rendered anyway. By modifying the reponse body, a threat actor can access the website without a valid session.

The vulnerability is a result of misimplmentation of the redirection function in inc/sess-auth.php and config.php.

The inc/sess-auth.php calls the redirect() function if the user does not have valid session:

if(!isset($_SESSION['userdata']) && !strpos($link, 'login.php')){
	redirect('admin/login.php');
}

After that the redirect() function adds a Javascript redirection at the beggining of the response body:

function redirect($url=''){
	if(!empty($url))
	echo '<script>location.href="'.base_url .$url.'"</script>';
}

However, the execution is not stopped after this. By activly preventing this redirection (by modifying the response or disabling Javascript) an attacked can get full access to the application.

An example of active responce modification to prevent the Javascript redirection using BurpSuite proxy:

Page access without authenticated session:

Remediation

Proper termination should be performed after redirects. In a function a return should be performed. In other instances functions such as die() should be performed. This will tell the application to terminate regardless of if the page is redirected or not.