AppSec Blog

Spot the Vuln - Banks

I have always been afraid of banks.
- Andrew Jackson

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

...snip... <?php ($hook = get_hook('li_forgot_pass_end')) ? eval($hook) : null; $tpl_temp = forum_trim(ob_get_contents()); $tpl_main = str_replace('<!- forum_main ->', $tpl_temp, $tpl_main); ob_end_clean(); // END SUBST - <!- forum_main -> require FORUM_ROOT.'footer.php'; } if (!$forum_user['is_guest']) header('Location: '.forum_link($forum_url['index'])); // Setup form $forum_page['group_count'] = $forum_page['item_count'] = $forum_page['fld_count'] = 0; $forum_page['form_action'] = forum_link($forum_url['login']); $forum_page['hidden_fields'] = array( 'form_sent'=> '<input type="hidden" name="form_sent" value="1" />', 'redirect_url'=> '<input type="hidden" name="redirect_url" value="'.forum_htmlencode($forum_user['prev_url']).'" />', 'csrf_token'=> '<input type="hidden" name="csrf_token" value="'.generate_form_token($forum_page['form_action']).'" />' ); // Setup breadcrumbs $forum_page['crumbs'] = array( array($forum_config['o_board_title'], forum_link($forum_url['index'])), array(sprintf($lang_login['Login info'], $forum_config['o_board_title']), forum_link($forum_url['login'])) ); ($hook = get_hook('li_login_pre_header_load')) ? eval($hook) : null; define('FORUM_PAGE', 'login'); require FORUM_ROOT.'header.php'; // START SUBST - <!- forum_main -> ob_start(); ($hook = get_hook('li_login_output_start')) ? eval($hook) : null; ?> <div class="main-head"> <h2 class="hn"><span><?php echo sprintf($lang_login['Login info'], $forum_config['o_board_title']) ?></span></h2> </div> <div class="main-content main-frm"> <div class="content-head"> <p class="hn"><?php printf($lang_login['Login options'], '<a href="'.forum_link($forum_url['register']).'">'.$lang_login['register'].'</a>', '<a href="'.forum_link($forum_url['request_password']).'">'.$lang_login['Obtain pass'].'</a>') ?></p> </div> <?php // If there were any errors, show them if (!empty($errors)) { $forum_page['errors'] = array(); foreach ($errors as $cur_error) $forum_page['errors'][] = '<li class="warn"><span>'.$cur_error.'</span></li>'; ($hook = get_hook('li_pre_login_errors')) ? eval($hook) : null; ?> <div class="ct-box error-box"> <h2 class="warn hn"><?php echo $lang_login['Login errors'] ?></h2> <ul class="error-list"> <?php echo implode("\n\t\t\t\t", $forum_page['errors'])."\n" ?> </ul> </div> <?php } ?> <div id="req-msg" class="req-warn ct-box error-box"> <p class="important"><?php printf($lang_common['Required warn'], '<em>'.$lang_common['Required'].'</em>') ?></p> </div> <form id="afocus" class="frm-form" method="post" accept-charset="utf-8" action="<?php echo $forum_page['form_action'] ?>"> <div class="hidden"> <?php echo implode("\n\t\t\t\t", $forum_page['hidden_fields'])."\n" ?> </div> <?php ($hook = get_hook('li_login_pre_login_group')) ? eval($hook) : null; ?> <div class="frm-group group<?php echo ++$forum_page['group_count'] ?>"> <?php ($hook = get_hook('li_login_pre_username')) ? eval($hook) : null; ?> <div class="sf-set set<?php echo ++$forum_page['item_count'] ?>"> <div class="sf-box text required"> <label for="fld<?php echo ++$forum_page['fld_count'] ?>"><span><?php echo $lang_login['Username'] ?> <em><?php echo $lang_common['Required'] ?></em></span></label><br /> <span class="fld-input"><input type="text" id="fld<?php echo $forum_page['fld_count'] ?>" name="req_username" value="<?php echo isset($_POST['req_username']) ? forum_htmlencode($_POST['req_username']) : " ?>" size="35" maxlength="25" /></span> </div> </div> <?php ($hook = get_hook('li_login_pre_pass')) ? eval($hook) : null; ?> <div class="sf-set set<?php echo ++$forum_page['item_count'] ?>"> <div class="sf-box text required"> <label for="fld<?php echo ++$forum_page['fld_count'] ?>"><span><?php echo $lang_login['Password'] ?> <em><?php echo $lang_common['Required'] ?></em></span></label><br /> <span class="fld-input"><input type="password" id="fld<?php echo $forum_page['fld_count'] ?>" name="req_password" value="<?php echo isset($_POST['req_password']) ? ($_POST['req_password']) : " ?>" size="35" /></span> </div> </div> <?php ($hook = get_hook('li_login_pre_remember_me_checkbox')) ? eval($hook) : null; ?> <div class="sf-set set<?php echo ++$forum_page['item_count'] ?>"> <div class="sf-box checkbox"> <span class="fld-input"><input type="checkbox" id="fld<?php echo ++$forum_page['fld_count'] ?>" name="save_pass" value="1" /></span> <label for="fld<?php echo $forum_page['fld_count'] ?>"><span><?php echo $lang_login['Remember me'] ?></span> <?php echo $lang_login['Persistent login'] ?></label> </div> </div> <?php ($hook = get_hook('li_login_pre_group_end')) ? eval($hook) : null; ?> </div> <?php ($hook = get_hook('li_login_group_end')) ? eval($hook) : null; ?> <div class="frm-buttons"> <span class="submit"><input type="submit" name="login" value="<?php echo $lang_login['Login'] ?>" /></span> </div> </form> </div> <?php ($hook = get_hook('li_end')) ? eval($hook) : null; $tpl_temp = forum_trim(ob_get_contents()); $tpl_main = str_replace('<!- forum_main ->', $tpl_temp, $tpl_main); ob_end_clean(); // END SUBST - <!- forum_main -> require FORUM_ROOT.'footer.php';
About the Authors:
Brett Hardin and Billy Rios run spotthevuln.com, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting http://spotthevuln.com/about-spot-the-vuln/

Post a Comment






Captcha


* Indicates a required field.