AppSec Blog

Spot the Vuln - Vegetables

People need trouble — a little frustration to sharpen the spirit on, toughen it. Artists do; I don't mean you need to live in a rat hole or gutter, but you have to learn fortitude, endurance. Only vegetables are happy.
- William Faulkner

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

<?php ...snip... function kd_admin_options_su(){ global $table_prefix, $wpdb, $user_ID; $table_name = $table_prefix . "short_url"; if($wpdb->get_var("show tables like '$table_name'") != $table_name){ $sql = "CREATE TABLE ".$table_name." ( link_id int(11) NOT NULL auto_increment, link_url text NOT NULL, link_desc text NOT NULL, link_count int(11) NOT NULL default '0', PRIMARY KEY (`link_id`) );"; require_once(ABSPATH . 'wp-admin/upgrade-functions.php'); dbDelta($sql); } if(isset($_POST['action'])) { $action = $_POST['action']; if($action == "create"){ $add_url = $_POST['form_url']; $add_desc = $_POST['form_desc']; if($add_url == "http://" || (!$add_url)){ $ERR = $ERR . "<br>You must enter a URL to redirect to!"; } if(!$ERR){ $wpdb->query("INSERT INTO $table_name (link_url,link_desc) VALUES ('$add_url','$add_desc')"); $new_url = get_option("siteurl") . "/u/" . mysql_insert_id(); $MES = $MES . "<br>The redirect URL has been added. Your new Short URL is: " . $new_url; } } if($action == "edit"){ $edit_id = $_POST['id']; $edit_url = $_POST['form_url']; $edit_desc = $_POST['form_desc']; if($edit_url == "http://" || (!$edit_url)){ $ERR = $ERR . "<br>You must enter a URL to redirect to!"; } if(!$ERR){ $wpdb->query("UPDATE $table_name SET link_url='$edit_url',link_desc='$edit_desc' WHERE link_id = $edit_id"); $MES = $MES . "<br>The redirect URL has been modified."; } } if($action == "delete"){ $delete_id = $_POST['id']; $wpdb->query("DELETE FROM $table_name WHERE link_id = '$delete_id'"); $MES = $MES . "<br>Redirect deleted!"; } if($action == "clearall"){ $wpdb->query("UPDATE $table_name SET link_count='0' WHERE link_count > 0"); $MES = $MES . "<br>Counts have been reset!"; } } ?> <div class=wrap> <form method="post"> <h2>Short URL Admin</h2> <?php if($ERR){ echo "<p>" . $ERR . "</p>"; } if($MES){ echo "<p>" . $MES . "</p>"; } ?> <p>Short URL allows you to create shorter URL's and keeps track of how many times a link has been clicked. It's useful for managing downloads, keeping track of outbound links and for masking URL's. Clicking the Clear All Clicks button will reset the count for each entry. Visit the <a href="">plugin page</a> for more information about this plugin.</p> <h2>Current Redirects</h2> <table class="widefat"> <thead> <tr> <th scope="col">Short URL (The URL to use)</th> <th scope="col">Real URL (Where it redirects to)</th> <th scope="col">Notes</th> <th scope="col">Amount of Clicks</th> <th scope="col">Manage</th> </tr> </thead> <tbody id="the-list"> <?php $rowdata = $wpdb->get_results("SELECT * FROM $table_name"); foreach ($rowdata as $row) { $is_editing = $_POST['edit_id']; if($is_editing){ if($is_editing == $row->link_id){ $EDIT = 1; $EDIT_ID = $row->link_id; $EDIT_URL = $row->link_url; $EDIT_DESC = $row->link_desc; } } ?> <tr class='<?php echo $class; ?>'> <th scope="row"><a href="<? echo get_option("siteurl") . "/u/" . $row->link_id; ?>" target="_blank"><? echo get_option("siteurl") . "/u/" . $row->link_id; ?></a></th> <td><? echo $row->link_url; ?></td> <td><? echo $row->link_desc; ?></td> <td><? echo $row->link_count; ?></td> <td><form method="post" name="delete"><input type="hidden" name="action" value="delete"><input type="hidden" name="id" value="<? echo $row->link_id; ?>"><input type="submit" value="Delete"></form><form method="post" name="edit"><input type="hidden" name="edit_id" value="<? echo $row->link_id; ?>"><input type="submit" value="Edit"></form></td> ...snip...
About the Authors:
Brett Hardin and Billy Rios run, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting

Post a Comment - Cancel Reply


* Indicates a required field.