Found a security vulnerability in the Access User Class.

After looking through your source code, I have found a vulnerability in the function access_page() (line 168 of access_user_class.php)

Code:

function access_page($refer = "", $qs = "", $level = DEFAULT_ACCESS_LEVEL) {
$refer_qs = $refer;
$refer_qs .= ($qs != "") ? "?".$qs : "";
if (isset($_SESSION['user']) && isset($_SESSION['pw'])) {
$this->user = $_SESSION['user'];
$this->user_pw = $_SESSION['pw'];
$this->get_access_level();
if (!$this->check_user()) {
$_SESSION['referer'] = $refer_qs;
header("Location: ".$this->login_page);
}
if ($this->access_level < $level) {
header("Location: ".$this->deny_access_page);
}
} else {
$_SESSION['referer'] = $refer_qs;
header("Location: ".$this->login_page);
}
}

The function merely uses header("Location: ".$this->deny_access_page); and does not exit() or die() after this redirect. This could allow an attacker to view a page that is supposed to be restricted, without even being logged in. This would be accomplished by using a browser that ignores the sent header. Then the rest of the script would execute, revealing the content of the page that is supposed to be invisible to attacker.

Here is what the code should be to be more secure:

Code:

function access_page($refer = "", $qs = "", $level = DEFAULT_ACCESS_LEVEL) {
$refer_qs = $refer;
$refer_qs .= ($qs != "") ? "?".$qs : "";
if (isset($_SESSION['user']) && isset($_SESSION['pw'])) {
$this->user = $_SESSION['user'];
$this->user_pw = $_SESSION['pw'];
$this->get_access_level();
if (!$this->check_user()) {
$_SESSION['referer'] = $refer_qs;
header("Location: ".$this->login_page);
exit();
}
if ($this->access_level < $level) {
header("Location: ".$this->deny_access_page);
exit();
}
} else {
$_SESSION['referer'] = $refer_qs;
header("Location: ".$this->login_page);
                        exit();
}
}

Let me know what you think.
Sean

[Free WordPress Themes]

Thank you Sean,

I remember that someone pointed me on this before, I will add the exit or die() commands to the script.

By the way there is only a problem if your protect script will be executed (a download script or something)

but anywhat there should be always a die or exit after the header location...

This would be accomplished by using a browser that ignores the sent header.

I didn't know that this is possible, do you have an example browser?

let me see if I can find an example browser

EDIT: I couldn't find any, but it seems that an attacker can modify a browser to ignore the sent headers.

Maybe it would be better to change the way access_page works to something like this:

{Protected Page}

Code:

include(filename);
$page = new Access;
if ($page->accesspage) {
PROTECTED HTML HERE
}

Then change the function to redirect and return false on authentication fail.

[Free WordPress Themes]

Maybe it would be better to change the way access_page works to something like this:

{Protected Page}

Code:

include(filename);
$page = new Access;
if ($page->accesspage) {
PROTECTED HTML HERE
}

Then change the function to redirect and return false on authentication fail.

you can do that but I don't think that this is common with the most applications. If you need to fight back hackers you should do somthing more then protect pages with just a password...

But, isn't Header a merely PHP function that the server executes? I don't think there's any way to stop a header from being executed since it runs on the server itself..
I know Javascript and VB redirects can be prevented, but not PHP I believe.
My ears are open for reasons though.

[Free WordPress Themes]

But, isn't Header a merely PHP function that the server executes? I don't think there's any way to stop a header from being executed since it runs on the server itself..
I know Javascript and VB redirects can be prevented, but not PHP I believe.
My ears are open for reasons though.

yes right, that was the first time that a user is telling me these things (check the download count: more than 30000 incl. phpclasses.org)

that will say that a lot of applications a not safe (not only with AU)

But, isn't Header a merely PHP function that the server executes? I don't think there's any way to stop a header from being executed since it runs on the server itself..
I know Javascript and VB redirects can be prevented, but not PHP I believe.
My ears are open for reasons though.

Well think about it.

A hacker goes to protected page, and is not logged in.
PHP says "Go over here to login.php".
Hacked browser says OK, I went.
PHP execution still goes to completion
Page is shown to hacker.

[Free WordPress Themes]

Well think about it.

A hacker goes to protected page, and is not logged in.
PHP says "Go over here to login.php".
Hacked browser says OK, I went.
PHP execution still goes to completion
Page is shown to hacker.

after this code is executed?

Code:

header("Location: page.php");
exit;

[Join us @ facebook]

If the hacker opens this page with socket connection or with curl with FOLLOW_LOCATION = false he/she can get the results of the page.

Of course with the exit statement there is no problem.

[Free WordPress Themes]

If the hacker opens this page with socket connection or with curl with FOLLOW_LOCATION = false he/she can get the results of the page.

Of course with the exit statement there is no problem.

Ok the case is clear (thank you Nick)

the script was updated with the last version and this thread is closed

[Guest]

[36.302]

Gigabot, Googlebot, Yahoo crawler, Baidu Spider