CWE-698: Execution After Redirect (EAR)
Description
The web application sends a redirect to another location, but instead of exiting, it executes additional code.
Submission Date :
Sept. 9, 2008, midnight
Modification Date :
2023-10-26 00:00:00+00:00
Organization :
MITRE
Example - 1
This code queries a server and displays its status when a request comes from an authorized IP address. This code redirects unauthorized users, but continues to execute code after calling http_redirect(). This means even unauthorized users may be able to access the contents of the page or perform a DoS attack on the server being queried. Also, note that this code is vulnerable to an IP address spoofing attack (CWE-212).
echo "You are not authorized to view this page";http_redirect($errorPageURL);
// ...//
$requestingIP = $_SERVER['REMOTE_ADDR'];if(!in_array($requestingIP,$ipAllowList)){}$status = getServerStatus();echo $status;
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.