php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77965 not inlcuding php after <? allows user to access protected pages
Submitted: 2019-05-03 15:22 UTC Modified: 2019-05-03 15:47 UTC
Votes:1
Avg. Score:2.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: drwho_who at yahoo dot com Assigned:
Status: Not a bug Package: Session related
PHP Version: 7.3.5 OS: Windows Sefver 2016
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: drwho_who at yahoo dot com
New email:
PHP Version: OS:

Further comment on this bug is unnecessary.

 

 [2019-05-03 15:22 UTC] drwho_who at yahoo dot com
Description:
------------
<?
session_start();
ob_start();
if (isset($_SESSION['username']) && $_SESSION['jur']) {
} else {
header("Location: login.php");
}
?>

Test script:
---------------
<?
session_start();
ob_start();
if (isset($_SESSION['username']) && $_SESSION['jur']) {
} else {
header("Location: login.php");
}
?>

Expected result:
----------------
I would expect a user not to be able to get to this page, or the page completely error out if missing the php in <?


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-03 15:23 UTC] drwho_who at yahoo dot com
IF a user goes to the page with the code as shown, a link on the page will give them access to the site completely, and page, no forced logins.
 [2019-05-03 15:27 UTC] peehaa@php.net
-Status: Open +Status: Not a bug
 [2019-05-03 15:27 UTC] peehaa@php.net
Short open tags needs to be enable for that to work https://www.php.net/manual/en/ini.core.php#ini.short-open-tag

If it's not enabled it's rendered as usual.
 [2019-05-03 15:32 UTC] spam2 at rhsoft dot net
how is it's PHP's fault when you just send a jeader but don't do an exit() after that and than have code after the if-clause which will happily execute because the server don#t bother about a redirect header it sends to the client?

"<? allows user to access protected pages" is a terrible description anyways as well as "or the page completely error out if missing the php in <?"

maybe you use only <? instead of <?php and short-open-atgs (which shouldn't be used for many years) are disabled on the server but who knows givenb that your descriptions are worded so bad
 [2019-05-03 15:32 UTC] drwho_who at yahoo dot com
Should be a major Security Flaw BUG.

If a user can by pass the login due to a missing php, that's a bug.

PHP should kill itself is code is not correct.

MAJOR SECURITY HOLE
 [2019-05-03 15:38 UTC] lulz at lel dot lol
There are some other types of major hole going on around here by the looks of things
 [2019-05-03 15:43 UTC] drwho_who at yahoo dot com
wow....grow up
 [2019-05-03 15:45 UTC] spam2 at rhsoft dot net
> PHP should kill itself is code is not correct
> MAJOR SECURITY HOLE

bullshit!

when short_opentags is disabled anything with <? ?> is not code at all

hence don't rely on random configs which can be different on every server and than blame php because you are too lazy write proper <?php as anybody does for years now

RTFM: https://www.php.net/manual/en/ini.core.php#ini.short-open-tag
 [2019-05-03 15:47 UTC] daverandom@php.net
-Block user comment: No +Block user comment: Yes
 [2019-05-03 15:47 UTC] daverandom@php.net
You are correct, it is a security hole, which is why short tags are in the process of being removed from the language https://wiki.php.net/rfc/deprecate_php_short_tags

The solution to the problem is simply to not ever use short open tags.
 [2019-05-03 15:47 UTC] daverandom@php.net
I've closed comments on this before it gets any worse.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 02 20:01:32 2024 UTC