AppSec Blog

Spot the Vuln - Curiosity

The cure for boredom is curiosity. There is no cure for curiosity.
Ellen Parr

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

<?php require_once('../../../wp-config.php'); require_once('../../../wp-includes/functions.php'); // CSRF attack protection. Check the Referal field to be the same // domain of the script $k_id = strip_tags($wpdb->escape($_GET['id'])); $k_action = strip_tags($wpdb->escape($_GET['action'])); $k_path = strip_tags($wpdb->escape($_GET['path'])); $k_imgIndex = strip_tags($wpdb->escape($_GET['imgIndex'])); $table_name = $wpdb->prefix . 'comment_rating'; $comment_table_name = $wpdb->prefix . 'comments'; if($k_id && $k_action && $k_path) { //Check to see if the comment id exists and grab the rating $query = "SELECT * FROM `$table_name` WHERE ck_comment_id = $k_id"; $result = mysql_query($query); if(!$result) { die('error|mysql: '.mysql_error()); } if(mysql_num_rows($result)) { $duplicated = 0; // used as a counter to off set duplicated votes if($row = @mysql_fetch_assoc($result)) { if(strstr($row['ck_ips'], getenv("REMOTE_ADDR"))) { // die('error|You have already voted on this item!'); // Just don't count duplicated votes $duplicated = 1; $ck_ips = $row['ck_ips']; } else { $ck_ips = $row['ck_ips'] . ',' . getenv("REMOTE_ADDR"); // IPs are separated by ',' } } $total = $row['ck_rating_up'] - $row['ck_rating_down']; if($k_action == 'add') { $rating = $row['ck_rating_up'] + 1 - $duplicated; $direction = 'up'; $total = $total + 1 - $duplicated; } elseif($k_action == 'subtract') { $rating = $row['ck_rating_down'] + 1 - $duplicated; $direction = 'down'; $total = $total - 1 + $duplicated; } else { die('error|Try again later'); //No action given. } if (!$duplicated) { $query = "UPDATE `$table_name` SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips . "' WHERE ck_comment_id = $k_id"; $result = mysql_query($query); if(!$result) { // die('error|query '.$query); die('error|Query error'); } // Now duplicated votes will not if(!mysql_affected_rows()) { die('error|affected '. $rating); } $karma_modified = 0; if (get_option('ckrating_karma_type') == 'likes' && $k_action == 'add') { $karma_modified = 1; $karma = $rating; } if (get_option('ckrating_karma_type') == 'dislikes' && $k_action == 'subtract') { $karma_modified = 1; $karma = $rating; } if (get_option('ckrating_karma_type') == 'both') { $karma_modified = 1; $karma = $total; } if ($karma_modified) { $query = "UPDATE `$comment_table_name` SET comment_karma = '$karma' WHERE comment_ID = $k_id"; $result = mysql_query($query); if(!$result) die('error|Comment Query error'); } } } else { die('error|Comment doesnt exist'); //Comment id not found in db, something wrong ? } } else { die('error|Fatal: html format error'); } // Add the + sign, if ($total > 0) { $total = "+$total"; } //This sends the data back to the js to process and show on the page // The dummy field will separate out any potential garbage that // WP-superCache may attached to the end of the return. echo("done|$k_id|$rating|$k_path|$direction|$total|$k_imgIndex|dummy"); ?>
About the Authors:
Brett Hardin and Billy Rios run spotthevuln.com, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting http://spotthevuln.com/about-spot-the-vuln/

Post a Comment






Captcha


* Indicates a required field.