user2479024
Reputation: 61
My admin control panel is hackable and I have no idea why
I have the following setup on my admin cpanel:
- /admincpanel/index.php
- /admincpanel/login.php
- /admincpanel/sendEmailsToAll.php
If a user is not logged in, it automatically goes back to login.php, so they can't access index.php and sendEmailsToAll.php without being logged in it.
On both pages I do the following:
require "logincheck.php";
The logincheck looks like this:
<?php
session_start();
if(!isset($_SESSION['logincheck'])) {
echo '<script language="Javascript">';
echo 'window.location="login.php"';
echo '</script>';
}
?>
So if I browse manually to any of those pages without being logged, it works and it brings me back to the login page.
I've tried to run a Audit Tool (Acunetix) on the website.
The tool was able to identify and do POST requests to both index and sendemails pages (so it actually sent email to my address with gibberish) without authenticating first.
How could I prevent this?
Upvotes: 3
Views: 390
Answers (1)
Jessica
Reputation: 7005
Don't use JAVASCRIPT to do a redirect! Use
header('Location: login.php');
exit;
Upvotes: 17
Related Questions
- Page protection does not work correctly for the Administrator page
- Broken PHP page security
- How to secure php online editor in php?
- Admin Access control not working
- Symfony Security rout admin
- How to secure Admin Panel in PHP?
- Security in PHP
- Securing my website admin area
- Admin only access php
- Securing my own administration panel