Topic: Someone was paid for this

[webwhy]

We were just awarded a maintenance contract for a local bank's public website and intranet.  both were created by a local advertising and marketing firm who "specializes" in the web.  during our typical security review we found this (amongst a shit load of other problems)


<?php
  if($_SESSION['loggedin'] != 'yes') {
?>
  <script type="text/javascript">
    alert('You have either linked to this page directly or your session has expired.  Please login to continue');
    window.location = 'http://foo.com/bar/login.php'
  </script>

<?php
  }
?>


This was the authentication check for the content management for the website.  Insane!  I've never seen something like this especially when the developer is getting paid real money to build it.  Needless to say, the VP we deal with was scary pissed when we reported all of the security holes we found in both sites.

[micah]

so, if you turned javascript off it wouldn't log you out?  nice!

[webwhy]

basically if you turn javascript off, you can bypass authentication and you have full access to the administration of the the website's cms.  whoever developed this obviously doesn't (didn't) understand http at all...

[JaWiB]

So the fix was to wrap the rest of the page in an 'else' statement?

[webwhy]

So the fix was to wrap the rest of the page in an 'else' statement?

fix was to redirect through http and kill the execution of the script.


<?php
  if($_SESSION['loggedin'] != 'yes') {
    header("Location: https://foo.com/bar/login.php");
    die;
  }
?>

[JaWiB]

Gotta love any language that includes a function called "die." I often find myself screaming that at code written by other people, but alas I have no other recourse.

[Mike]

Gotta love any language that includes a function called "die." I often find myself screaming that at code written by other people, but alas I have no other recourse.

PHP should add a diaf construct