When creating a password protected section for a website, such as an admin portal for a CMS solution, typically developers check if the user session is authenticated. If the user session is not authenticated, the user is redirect to the login page. Maybe because the lack of development experience, typically developers use the below sample code in pages to determine if a session is already existing or not:

<?php
// check if the session is authanticated
if (!isset($_SESION["isAdmin"])) {
header("Location: ../login.php");
}
?>
<title>Admin Dashboard</title>
<h3>List of Users</h3>

This code checks if the isAdmin session variable is set, so if it is not the user is redirected to the login page. The problem with that the above sample script is that it is not terminated after the user is redirected to the login page. I’ve repeatedly seen this mistake in different applications developed from different developers. This coding mistake is not obvious to notice because when accessing the application using a normal web browser, everything works as it should.

As seen in the above screenshot, when using a web browser the user is shown a login page in case he or she tries to access a passwords protected page and the session is not valid, i.e. the user never authenticated. However, if you try to access the same page using a tool such as the HTTP editor, you will notice something interesting.

In the above screenshot we can see the HTTP Response headers. As you can see the HTTP Status Code is HTTP/1.1 302 Found. This means that the web browser should redirect the user to the page specified by the Location header (../login.php).

However, when you browse the body content of the page using the same tool. you’ll notice that you can see the administrative page, for example get a list of registered users, their password hashes and we can even see an HTML form to add new users. We can see this page because HTTP Editor doesn’t automatically follow redirects like a normal web browser and shows the page as it is.

In the latest version of Acunetix Web Vulnerability Scanner we have added a web security check that checks if there is an HTML form inside a redirect page. Using heuristics analysis, the Acunetix Web Vulnerability Scanner will also try to determine if the page is an administrative page or leads to pages with administrative access. If such pages are discovered an Alert is generated and in case such pages are administrative pages, the alert will be tagged as a ‘high risk alert’. When we scanned the test website used in the above example with Acunetix WVS, the scanner generated the following alert:

How to fix such problem?

The fix is very simple. The script that checks if a user is authenticated or not must be terminated after the user is redirected.  Below is a code sample with the fix Notice the “exit();” on line 5 which terminates the script.

<?php
// check if the session is authanticated
if (!isset($_SESION["isAdmin"])) {
header("Location: ../login.php");
exit();
}
?>
<title>Admin Dashboard</title>
<h3>List of Users</h3>

SHARE THIS POST
THE AUTHOR
Bogdan Calin

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.