php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77965 not inlcuding php after <? allows user to access protected pages
Submitted: 2019-05-03 15:22 UTC Modified: 2019-05-03 15:47 UTC
Votes:1
Avg. Score:2.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: drwho_who at yahoo dot com Assigned:
Status: Not a bug Package: Session related
PHP Version: 7.3.5 OS: Windows Sefver 2016
Private report: No CVE-ID: None
 [2019-05-03 15:22 UTC] drwho_who at yahoo dot com
Description:
------------
<?
session_start();
ob_start();
if (isset($_SESSION['username']) && $_SESSION['jur']) {
} else {
header("Location: login.php");
}
?>

Test script:
---------------
<?
session_start();
ob_start();
if (isset($_SESSION['username']) && $_SESSION['jur']) {
} else {
header("Location: login.php");
}
?>

Expected result:
----------------
I would expect a user not to be able to get to this page, or the page completely error out if missing the php in <?


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-03 15:23 UTC] drwho_who at yahoo dot com
IF a user goes to the page with the code as shown, a link on the page will give them access to the site completely, and page, no forced logins.
 [2019-05-03 15:27 UTC] peehaa@php.net
-Status: Open +Status: Not a bug
 [2019-05-03 15:27 UTC] peehaa@php.net
Short open tags needs to be enable for that to work https://www.php.net/manual/en/ini.core.php#ini.short-open-tag

If it's not enabled it's rendered as usual.
 [2019-05-03 15:32 UTC] spam2 at rhsoft dot net
how is it's PHP's fault when you just send a jeader but don't do an exit() after that and than have code after the if-clause which will happily execute because the server don#t bother about a redirect header it sends to the client?

"<? allows user to access protected pages" is a terrible description anyways as well as "or the page completely error out if missing the php in <?"

maybe you use only <? instead of <?php and short-open-atgs (which shouldn't be used for many years) are disabled on the server but who knows givenb that your descriptions are worded so bad
 [2019-05-03 15:32 UTC] drwho_who at yahoo dot com
Should be a major Security Flaw BUG.

If a user can by pass the login due to a missing php, that's a bug.

PHP should kill itself is code is not correct.

MAJOR SECURITY HOLE
 [2019-05-03 15:38 UTC] lulz at lel dot lol
There are some other types of major hole going on around here by the looks of things
 [2019-05-03 15:43 UTC] drwho_who at yahoo dot com
wow....grow up
 [2019-05-03 15:45 UTC] spam2 at rhsoft dot net
> PHP should kill itself is code is not correct
> MAJOR SECURITY HOLE

bullshit!

when short_opentags is disabled anything with <? ?> is not code at all

hence don't rely on random configs which can be different on every server and than blame php because you are too lazy write proper <?php as anybody does for years now

RTFM: https://www.php.net/manual/en/ini.core.php#ini.short-open-tag
 [2019-05-03 15:47 UTC] daverandom@php.net
-Block user comment: No +Block user comment: Yes
 [2019-05-03 15:47 UTC] daverandom@php.net
You are correct, it is a security hole, which is why short tags are in the process of being removed from the language https://wiki.php.net/rfc/deprecate_php_short_tags

The solution to the problem is simply to not ever use short open tags.
 [2019-05-03 15:47 UTC] daverandom@php.net
I've closed comments on this before it gets any worse.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Jun 19 22:01:22 2021 UTC