AppSec Blog

Spot the Vuln - Money

Money won't buy happiness, but it will pay the salaries of a large research staff to study the problem.
- Bill Vaughan

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

<?php ...snip... include '../include/config.inc.php'; include '../include/connect.inc.php'; include '../include/functions.inc.php'; session_start(); header("Cache-control: private"); if (!isset($_SESSION['s_admin'])) { pg_close($pgconn); $address = getaddress($web_port); header("location: ${address}login.php"); exit; } $s_org = intval($_SESSION['s_org']); $s_admin = intval($_SESSION['s_admin']); $s_access = $_SESSION['s_access']; $s_access_sensor = intval($s_access{0}); if ($s_access_sensor == 0) { $m = 90; pg_close($pgconn); header("location: sensorstatus.php?selview=$selview&m=$m"); exit; } if (isset($_GET['selview'])) { $selview = intval($_GET['selview']); } $error = 0; $keyname = $_POST['keyname']; $vlanid = $_POST['vlanid']; $action = $_POST['action']; if (isset($_POST[tapip])) { $tapip = pg_escape_string(stripinput($_POST[tapip])); if (preg_match($ipregexp, $tapip)) { $sql_checkip = "SELECT tapip FROM sensors WHERE tapip = '$tapip' AND NOT keyname = '$keyname'"; $result_checkip = pg_query($pgconn, $sql_checkip); $checkip = pg_num_rows($result_checkip); if ($checkip > 0) { $m = 101; $error = 1; } else { $sql_updatestatus = "UPDATE sensors SET tapip = '$tapip' WHERE keyname = '$keyname' AND vlanid ='$vlanid'"; $result_updatestatus = pg_query($pgconn, $sql_updatestatus); $m = 7; } } else { $m = 102; $error = 1; } } if ($error == 0) { $sql_updatestatus = "UPDATE sensors SET action = '" .$action. "' WHERE keyname = '$keyname'"; $result_updatestatus = pg_query($pgconn, $sql_updatestatus); $m = 7; } pg_close($pgconn); if ($m != 1) { header("location: sensorstatus.php?selview=$selview&m=$m&key=$keyname"); } else { header("location: sensorstatus.php?selview=$selview&m=$m"); } ?>
About the Authors:
Brett Hardin and Billy Rios run spotthevuln.com, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting http://spotthevuln.com/about-spot-the-vuln/

Post a Comment






Captcha


* Indicates a required field.