CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.6)  

Presentation Filter:

CWE-698: Execution After Redirect (EAR)

 
Execution After Redirect (EAR)
Weakness ID: 698 (Weakness Base)Status: Incomplete
+ Description

Description Summary

The web application sends a redirect to another location, but instead of exiting, it executes additional code.
+ Alternate Terms
Redirect Without Exit
+ Time of Introduction
  • Implementation
+ Common Consequences
ScopeEffect
Other
Confidentiality
Integrity
Availability

Technical Impact: Alter execution logic; Execute unauthorized code or commands

This weakness could affect the control flow of the application and allow execution of untrusted code.

+ Detection Methods

Black Box

This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss.

+ Demonstrative Examples

Example 1

This code queries a server and displays its status when a request comes from an authorized IP address.

(Bad Code)
Example Language: PHP 
$requestingIP = $_SERVER['REMOTE_ADDR'];
if(!in_array($requestingIP,$ipWhitelist)){
echo "You are not authorized to view this page";
http_redirect($errorPageURL);
}
$status = getServerStatus();
echo $status;
...

This code redirects unauthorized users, but continues to execute code after calling http_redirect(). This means even unauthorized users may be able to access the contents of the page or perform a DoS attack on the server being queried. Also, note that this code is vulnerable to an IP address spoofing attack (CWE-212).

+ Observed Examples
ReferenceDescription
CVE-2013-1402Execution-after-redirect allows access to application configuration details.
CVE-2009-1936chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal.
CVE-2007-2713Remote attackers can obtain access to administrator functionality through EAR.
CVE-2007-4932Remote attackers can obtain access to administrator functionality through EAR.
CVE-2007-5578Bypass of authentication step through EAR.
CVE-2007-2713Chain: Execution after redirect triggers eval injection.
CVE-2007-6652chain: execution after redirect allows non-administrator to perform static code injection.
+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory361Time and State
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class670Always-Incorrect Control Flow Implementation
Research Concepts1000
ChildOfWeakness ClassWeakness Class705Incorrect Control Flow Scoping
Research Concepts (primary)1000
ChildOfCategoryCategory907SFP Cluster: Other
Software Fault Pattern (SFP) Clusters (primary)888
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ References
Adam Doupé, Bryce Boe, Christopher Kruegel and Giovanni Vigna. "Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities". <http://cs.ucsb.edu/~bboe/public/pubs/fear-the-ear-ccs2011.pdf>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2008-09-09MITREInternal CWE Team
Modifications
Modification DateModifierOrganizationSource
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Common_Consequences, Demonstrative_Examples, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Demonstrative_Examples
2013-02-21CWE Content TeamMITREInternal
updated Alternate_Terms, Name, Observed_Examples, References
Previous Entry Names
Change DatePrevious Entry Name
2013-02-21Redirect Without Exit
Page Last Updated: February 18, 2014