AppSec Blog

Spot the Vuln - Character

Knowledge will give you power, but character respect.
- Bruce Lee

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

<?php ...snip... //Get a link for the Start Slideshow for PicLens function getPicLensLink($g, $atts){ if($atts['link_text']){ $link_text = $atts['link_text']; } else { $link_text = 'Start Slideshow <img src="http://lite.piclens.com/images/PicLensButton.png" alt="PicLens" width="16" height="12" border="0" align="absmiddle">'; } $picatts['id'] = $g['gallery_id']; $picatts['thumb_width'] = $g['thumb_width']; $picatts['thumb_height'] = $g['thumb_height']; $picatts['gallery_type'] = $g['gallery_type']; $picatts['images'] = $g['images']; $picatts['page'] = $g['page']; if($g['tags'] == 'post_tags'){ $picatts['tags'] = $this->getPostTags(0); } else { $picatts['tags'] = $g['tags']; } $param_array = $this->filterMRSSAttsFromArray($picatts, ""); if( is_array($param_array)){ $params = implode("&", $param_array); //$params = urlencode($params); } $ret = '<a class="piclenselink" href="javascript:PicLensLite.start({feedUrl:\" . plugins_url() . '/photosmash-galleries/bwbps-media-rss.php?' . $params . '\'});"> ' . $link_text . ' </a> '; return $ret; } function getPostTags($post_id){ if(!$post_id ){ global $wp_query; $post_id = $wp_query->post->ID; } $terms = wp_get_object_terms( $post_id, 'post_tag', $args ) ; if(is_array($terms)){ foreach( $terms as $term ){ $_terms[] = $term->name; } unset($terms); if( is_array($_terms)){ $ret = implode("," , $_terms); } else { $ret = ""; } } return $ret; } /*SECTION: Media Uploader Integration * Media Uploader Integration for Admin -> Photo Manager uploading images * */ function mediaUAddGalleryFieldToMediaUploader(){ if(isset($_REQUEST['bwbps_galid']) && (int)$_REQUEST['bwbps_galid']){ echo "<input type='hidden' id='bwbps_mediau_galid' name='bwbps_mediau_galid' value='" . (int)$_REQUEST['bwbps_galid'] . "' /> <input type='hidden' id='bwbps_galid' name='bwbps_galid' value='" . (int)$_REQUEST['bwbps_galid'] . "' /> <input type='hidden' name='bwbps_galname' value='" . $_REQUEST['bwbps_galname'] . "' /> <div style='background-color: #eaffdf; padding: 5px; border: 1px solid #a0a0a0; margin: 3px; font-size: 14px; color: #333;'>Adding to PhotoSmash: " . $_REQUEST['bwbps_galname'] . "</div> "; } else { $gid = isset($_REQUEST['bwbps_mediau_galid']) ? (int)$_REQUEST['bwbps_mediau_galid'] : 0; $galleryDDL = $this->getGalleryDDL($gid, "select gallery", "", "bwbps_mediau_galid", 30, true, true); echo "<div style='padding: 5px; margin: 3px; font-size: 14px; color: #333;'>Add to PhotoSmash: $galleryDDL</div>"; } } function mediaUAddGalleryFieldToFlashUploader(){ ?> <script type="text/javascript"> if (typeof flashStartUploadFunctions == 'undefined'){ var flashStartUploadFunctions = []; function addFlashStartUploadFunction( funct_name ){ flashStartUploadFunctions.push( funct_name ); } function runFlashStartUploadFunctions(){ if( flashStartUploadFunctions.length > 0 ){ var bwbfunc; for( bwbfunc in flashStartUploadFunctions){ eval(flashStartUploadFunctions[ bwbfunc ]); } } } } addFlashStartUploadFunction( 'bwbpsAddGalleryToFlashUploader();' ); jQuery(window).load( function() { swfu.settings.upload_start_handler = function(){ runFlashStartUploadFunctions(); } }); function bwbpsAddGalleryToFlashUploader(){ jQuery('#bwbps_uploaded_images', top.document).show().append('<h4>Flash upload...preview not available.</h4>'); var gid = jQuery("#bwbps_mediau_galid_flash").val() + ""; if( gid ){ swfu.addPostParam('bwbps_mediau_galid', gid); <?php if(isset($_REQUEST['bwbps_galid']) ){ ?> swfu.addPostParam('bwbps_galid', gid); <?php } ?> } } </script> <?php if(isset($_REQUEST['bwbps_galid']) && (int)$_REQUEST['bwbps_galid']){ $this->count++; echo " <script type='text/javascript'> jQuery(window).load( function() { //Hide the other Media Tabs jQuery('#tab-type_url').hide(); jQuery('#tab-library').hide();"; ...snip... ?>
About the Authors:
Brett Hardin and Billy Rios run spotthevuln.com, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting http://spotthevuln.com/about-spot-the-vuln/

Post a Comment






Captcha


* Indicates a required field.