CWE-698 – Execution After Redirect (EAR)

Read Time:49 Second

Description

The web application sends a redirect to another location, but instead of exiting, it executes additional code.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-705
CWE-670

 

Consequences

Other, Confidentiality, Integrity, Availability: Alter Execution Logic, Execute Unauthorized Code or Commands

This weakness could affect the control flow of the application and allow execution of untrusted code.

 

Potential Mitigations

CVE References

 

  • CVE-2013-1402
    • Execution-after-redirect allows access to application configuration details.
  • CVE-2009-1936
    • chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal.
  • CVE-2007-2713
    • Remote attackers can obtain access to administrator functionality through EAR.
  • CVE-2007-4932
    • Remote attackers can obtain access to administrator functionality through EAR.
  • CVE-2007-2713
    • Chain: Execution after redirect triggers eval injection.
  • CVE-2007-6652
    • chain: execution after redirect allows non-administrator to perform static code injection.