The web application sends a redirect to another location, but instead of exiting, it executes additional code.
Redirect Without Exit
Time of Introduction
Technical Impact: Alter execution
logic; Execute unauthorized code or
This weakness could affect the control flow of the application and
allow execution of untrusted code.
This issue might not be detected if testing is performed using a web
browser, because the browser might obey the redirect and move the user
to a different page before the application has produced outputs that
indicate something is amiss.
This code queries a server and displays its status when a request
comes from an authorized IP address.
$requestingIP = $_SERVER['REMOTE_ADDR'];
echo "You are not authorized to view this page";
$status = getServerStatus();
This code redirects unauthorized users, but continues to execute code after calling http_redirect(). This means even unauthorized users may be able to access the contents of the page or perform a DoS attack on the server being queried. Also, note that this code is vulnerable to an IP address spoofing attack (CWE-212).