AppSec Blog

Spot the Vuln - Sleep

It is a common experience that a problem difficult at night is resolved in the morning after a committee of sleep has worked on it.
- John Steinbeck

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

HINT: $to, $subject, and $message are tainted
<?php ...snip... function smtp_mail($to, $subject, $message, $headers = ") { global $pun_config; $recipients = explode(',', $to); // Are we using port 25 or a custom port? if (strpos($pun_config['o_smtp_host'], ':') !== false) list($smtp_host, $smtp_port) = explode(':', $pun_config['o_smtp_host']); else { $smtp_host = $pun_config['o_smtp_host']; $smtp_port = 25; } if (!($socket = fsockopen($smtp_host, $smtp_port, $errno, $errstr, 15))) error('Could not connect to smtp host "'.$pun_config['o_smtp_host'].'" ('.$errno.') ('.$errstr.')', __FILE__, __LINE__); server_parse($socket, '220'); if ($pun_config['o_smtp_user'] != " && $pun_config['o_smtp_pass'] != ") { fwrite($socket, 'EHLO '.$smtp_host."\r\n"); server_parse($socket, '250'); fwrite($socket, 'AUTH LOGIN'."\r\n"); server_parse($socket, '334'); fwrite($socket, base64_encode($pun_config['o_smtp_user'])."\r\n"); server_parse($socket, '334'); fwrite($socket, base64_encode($pun_config['o_smtp_pass'])."\r\n"); server_parse($socket, '235'); } else { fwrite($socket, 'HELO '.$smtp_host."\r\n"); server_parse($socket, '250'); } fwrite($socket, 'MAIL FROM: <'.$pun_config['o_webmaster_email'].'>'."\r\n"); server_parse($socket, '250'); $to_header = 'To: '; @reset($recipients); while (list(, $email) = @each($recipients)) { fwrite($socket, 'RCPT TO: <'.$email.'>'."\r\n"); server_parse($socket, '250'); $to_header .= '<'.$email.'>, '; } fwrite($socket, 'DATA'."\r\n"); server_parse($socket, '354'); fwrite($socket, 'Subject: '.$subject."\r\n".$to_header."\r\n".$headers."\r\n\r\n".$message."\r\n"); fwrite($socket, '.'."\r\n"); server_parse($socket, '250'); fwrite($socket, 'QUIT'."\r\n"); fclose($socket); return true; }
About the Authors:
Brett Hardin and Billy Rios run, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting

Post a Comment


* Indicates a required field.