Hello everyone. I was doing challenges on the website that had a clue in challenges:
There is a “execution after redirect” to one of the login pages
I’ve done a test with burp, and get /user who’s re-directed to the /user/login with the response 302 found, and /cmsadmin to / with the response 301 moved permanently, But when I went change request location to /admin/1 response was “access denied”.
And I’ve been crawling all over the website with a dirbuster.
How do I manipulate this EAR? And how do I know the possible files/dir for bypass?
EAR means that you get access to a restricted site when you ignore redirects. If you see nothing other than “Moved Permanently” html page, than it’s not EAR.
I am slightly confused at what the purpose of EAR is and I did look at OWASP for some idea. Is this type of “vulnerability” still pausible since I haven’t seen any of this nature on any site?
$requestingIP = $_SERVER['REMOTE_ADDR'];
if(!in_array($requestingIP, $ipWhitelist))
{
echo "You are not authorized to view this page";
http_redirect($errorPageURL);
}
$status = getServerStatus();
echo $status;
This basic PHP code redirects every user who doesn’t have their IP inside a whitelist straight to an error page, but if said user is part of the whitelist the same page will display what’s supposed to be restricted content, without performing any actual session or identity check. This means that if a browser was to ignore the redirect, any user would be able to access that content without authorization.
It’s not too common and it derives from bad programming practices that any good developer should be aware of, mostly the lack of proper session management, but it definitely is a real flaw you may run into in the wild.
