AppSec Blog

Spot the Vuln - Wood

Remember, a chip on the shoulder is a sure sign of wood higher up.
- Brigham Young

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

<?php ...snip... function wp_newCategory($args) { $this->escape($args); $blog_id= (int) $args[0]; $username= $args[1]; $password= $args[2]; $category= $args[3]; if(!$this->login_pass_ok($username, $password)) { return($this->error); } // Set the user context and make sure they are // allowed to add a category. set_current_user(0, $username); if(!current_user_can("manage_categories", $page_id)) { return(new IXR_Error(401, __("Sorry, you do not have the right to add a category."))); } // We need this to make use of the wp_insert_category() // funciton. require_once(ABSPATH . "wp-admin/admin-db.php"); // If no slug was provided make it empty so that // WordPress will generate one. if(empty($category["slug"])) { $category["slug"] = ""; } // If no parent_id was provided make it empty // so that it will be a top level page (no parent). if ( !isset($category["parent_id"]) ) $category["parent_id"] = ""; // If no description was provided make it empty. if(empty($category["description"])) { $category["description"] = ""; } $new_category = array( "cat_name"=> $category["name"], "category_nicename"=> $category["slug"], "category_parent"=> $category["parent_id"], "category_description"=> $category["description"] ); $cat_id = wp_insert_category($new_category); if(!$cat_id) { return(new IXR_Error(500, __("Sorry, the new category failed."))); } return($cat_id); } function wp_suggestCategories($args) { global $wpdb; $this->escape($args); $blog_id= (int) $args[0]; $username= $args[1]; $password= $args[2]; $category= $args[3]; $max_results= $args[4]; if(!$this->login_pass_ok($username, $password)) { return($this->error); } // Only set a limit if one was provided. $limit = ""; if(!empty($max_results)) { $limit = "LIMIT {$max_results}"; } $category_suggestions = $wpdb->get_results(" SELECT cat_ID category_id, cat_name category_name FROM {$wpdb->categories} WHERE cat_name LIKE '{$category}%' {$limit} "); return($category_suggestions); } /* Blogger API functions * specs on and */ /* blogger.getUsersBlogs will make more sense once we support multiple blogs */ function blogger_getUsersBlogs($args) { $this->escape($args); $user_login = $args[1]; $user_pass = $args[2]; if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } set_current_user(0, $user_login); $is_admin = current_user_can('level_8'); $struct = array( 'isAdmin' => $is_admin, 'url' => get_option('home') . '/', 'blogid' => '1', 'blogName' => get_option('blogname') ); return array($struct); } ...snip... ?>
About the Authors:
Brett Hardin and Billy Rios run, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting

Post a Comment


* Indicates a required field.