AppSec Blog

Spot the Vuln - Tougher

I survived because I was tougher than anybody else.
- Bette Davis

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

...<snip>... // Load the admin.php language file require FORUM_ROOT.'lang/'.$forum_user['language'].'/admin_common.php'; require FORUM_ROOT.'lang/'.$forum_user['language'].'/admin_settings.php'; $section = isset($_GET['section']) ? $_GET['section'] : null; if (isset($_POST['form_sent'])) { $form = array_map('trim', $_POST['form']); ($hook = get_hook('aop_form_submitted')) ? eval($hook) : null; ...<snip>... ($hook = get_hook('aop_pre_update_configuration')) ? eval($hook) : null; foreach ($form as $key => $input) { // Only update permission values that have changed if (array_key_exists('p_'.$key, $forum_config) && $forum_config['p_'.$key] != $input) { $query = array( 'UPDATE'=> 'config', 'SET'=> 'conf_value='.$input, 'WHERE'=> 'conf_name=\'p_'.$forum_db->escape($key).'\" ); ($hook = get_hook('aop_qr_update_permission_conf')) ? eval($hook) : null; $forum_db->query_build($query) or error(__FILE__, __LINE__); } // Only update option values that have changed if (array_key_exists('o_'.$key, $forum_config) && $forum_config['o_'.$key] != $input) { if ($input != " || is_int($input)) $value = '\".$forum_db->escape($input).'\"; else $value = 'NULL'; $query = array( 'UPDATE'=> 'config', 'SET'=> 'conf_value='.$value, 'WHERE'=> 'conf_name=\'o_'.$forum_db->escape($key).'\" ); ($hook = get_hook('aop_qr_update_permission_option')) ? eval($hook) : null; $forum_db->query_build($query) or error(__FILE__, __LINE__); } } // Regenerate the config cache if (!defined('FORUM_CACHE_FUNCTIONS_LOADED')) require FORUM_ROOT.'include/cache.php'; generate_config_cache(); ($hook = get_hook('aop_pre_redirect')) ? eval($hook) : null; redirect(forum_link($forum_url['admin_settings_'.$section]), $lang_admin_settings['Settings updated'].' '.$lang_admin_common['Redirect']); } if (!$section || $section == 'setup') { // Setup the form $forum_page['group_count'] = $forum_page['item_count'] = $forum_page['fld_count'] = 0; // Setup breadcrumbs $forum_page['crumbs'] = array( array($forum_config['o_board_title'], forum_link($forum_url['index'])), array($lang_admin_common['Forum administration'], forum_link($forum_url['admin_index'])), array($lang_admin_common['Settings'], forum_link($forum_url['admin_settings_setup'])), array($lang_admin_common['Setup'], forum_link($forum_url['admin_settings_setup'])) ); ($hook = get_hook('aop_setup_pre_header_load')) ? eval($hook) : null; define('FORUM_PAGE_SECTION', 'settings'); define('FORUM_PAGE', 'admin-settings-setup'); require FORUM_ROOT.'header.php'; // START SUBST - <!- forum_main -> ob_start(); ($hook = get_hook('aop_setup_output_start')) ? eval($hook) : null; ?> <div class="main-content main-frm"> <form class="frm-form" method="post" accept-charset="utf-8" action="<?php echo forum_link($forum_url['admin_settings_setup']) ?>"> <div class="hidden"> <input type="hidden" name="csrf_token" value="<?php echo generate_form_token(forum_link($forum_url['admin_settings_setup'])) ?>" /> <input type="hidden" name="form_sent" value="1" /> </div> <div class="content-head"> <h2 class="hn"><span><?php echo $lang_admin_settings['Setup personal'] ?></span></h2> </div> ...<snip>...
About the Authors:
Brett Hardin and Billy Rios run, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting

Post a Comment


* Indicates a required field.