CWE-698
Execution After Redirect (EAR)
Incomplete
2008-09-09
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Execution After Redirect (EAR)
The web application sends a redirect to another location, but instead of exiting, it executes additional code.
Informations générales
Modes d'introduction
ImplementationPlateformes applicables
Langue
Class: Not Language-Specific (Undetermined)Technologies
Class: Web Based (Undetermined)Name: Web Server (Sometimes)
Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Other Confidentiality Integrity Availability | Alter Execution Logic, Execute Unauthorized Code or Commands Note: This weakness could affect the control flow of the application and allow execution of untrusted code. |
Exemples observés
| Références | Description |
|---|---|
CVE-2013-1402 | Execution-after-redirect allows access to application configuration details. |
CVE-2009-1936 | chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal. |
CVE-2007-2713 | Remote attackers can obtain access to administrator functionality through EAR. |
CVE-2007-4932 | Remote attackers can obtain access to administrator functionality through EAR. |
CVE-2007-5578 | Bypass of authentication step through EAR. |
CVE-2007-2713 | Chain: Execution after redirect triggers eval injection. |
CVE-2007-6652 | chain: execution after redirect allows non-administrator to perform static code injection. |
Méthodes de détection
Black Box
This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss.Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Références
REF-565
Fear the EAR: Discovering and Mitigating Execution After Redirect VulnerabilitiesAdam Doupé, Bryce Boe, Christopher Kruegel, Giovanni Vigna.
https://sites.cs.ucsb.edu/~chris/research/doc/ccs11_ear.pdf
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | 1.0 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Common_Consequences, Demonstrative_Examples, Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Alternate_Terms, Name, Observed_Examples, References | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated Applicable_Platforms |
