AppSec Blog

Spot the Vuln - Charming

It is absurd to divide people into good and bad. People are either charming or tedious.
Oscar Wilde

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

</table> <br> <table> <tr> <td> <table> <tr><td><input type=checkbox name=oderbycount value=checked <?php print $_GET['oderbycount'] ?>> <?php _e('sort by count if grouped','statpresscn'); ?></td></tr> <tr><td><input type=checkbox name=spider value=checked <?php print $_GET['spider'] ?>> <?php _e('include spiders/crawlers/bot','statpresscn'); ?></td></tr> <tr><td><input type=checkbox name=feed value=checked <?php print $_GET['feed'] ?>> <?php _e('include feed','statpresscn'); ?></td></tr> </table> </td> <td width=15> </td> <td> <table> <tr> <td><?php _e('Limit results to','statpresscn'); ?> <select name=limitquery><?php if($_GET['limitquery'] >0) { print "<option>".$_GET['limitquery']."</option>";} ?><option>200</option><option>150</option><option>50</option></select> </td> </tr> <tr><td>&nbsp;</td></tr> <tr> <td align=right><input type=submit value=<?php _e('Search','statpresscn'); ?> name=searchsubmit></td> </tr> </table> </td> </tr> </table><!- It's strange that the page value should be spc-search, and not others. -> <input type=hidden name=page value='spc-search'><input type=hidden name=statpress_action value=search> </form><br> <?php if(isset($_GET['searchsubmit'])) { # query builder $qry=""; # FIELDS $fields=""; for($i=1;$i<=5;$i++) { if($_GET["where$i"] != ") { $fields.=$_GET["where$i"].","; } } $fields=rtrim($fields,","); # WHERE $where="WHERE 1=1"; if($_GET['spider'] != 'checked') { $where.=" AND spider=""; } if($_GET['feed'] != 'checked') { $where.=" AND feed=""; } for($i=1;$i<=5;$i++) { if(($_GET["what$i"] != ") && ($_GET["where$i"] != ")) { $where.=" AND ".$_GET["where$i"]." LIKE '%".$_GET["what$i"]."%'"; } } # ORDER BY $orderby=""; for($i=1;$i<=5;$i++) { if(($_GET["sortby$i"] == 'checked') && ($_GET["where$i"] != ")) { $orderby.=$_GET["where$i"].','; } } # GROUP BY $groupby=""; for($i=1;$i<=5;$i++) { if(($_GET["groupby$i"] == 'checked') && ($_GET["where$i"] != ")) { $groupby.=$_GET["where$i"].','; } } if($groupby != ") { $grouparray = explode(",",rtrim($groupby,',')); $groupby="GROUP BY ".rtrim($groupby,','); $fields.=",count(*) as totale"; if($_GET['oderbycount'] == 'checked') { $orderby="totale DESC,".$orderby; } } if($orderby != ") { $orderby="ORDER BY ".rtrim($orderby,','); } $limit="LIMIT ".$_GET['limitquery']; # Results print "<h2>".__('Results','statpresscn')."</h2>"; $sql="SELECT $fields FROM $table_name $where $groupby $orderby $limit;"; //print "$sql<br>"; print "<table class='widefat'><thead><tr>"; for($i=1;$i<=5;$i++) { if($_GET["where$i"] != ") { print "<th scope='col'>"; if((count($grouparray)>0)&&in_array($_GET["where$i"],$grouparray)){ print "<font color=red>"; } print ucfirst($f[$_GET["where$i"]]); if((count($grouparray)>0)&&in_array($_GET["where$i"],$grouparray)){ print "</font>"; } print "</th>"; } } if($groupby != ") { print "<th scope='col'><font color=red>".__('Count','statpresscn')."</font></th>"; } print "</tr></thead><tbody id='the-list'>"; $qry=$wpdb->get_results($sql,ARRAY_N); $cloumnscount = count($wpdb->get_col_info("name")); foreach ($qry as $rk) { print "<tr>"; for($i=1;$i<=$cloumnscount;$i++) { print "<td>"; if($_GET["where$i"] == 'urlrequested') { print "<a href=".heart5_config_url($rk[$i-1])." target=_heart5>"; print iri_StatPress_Decode($rk[$i-1]); print "</a>"; } else { print $rk[$i-1]; } // print $rk[$i-1]; print "</td>"; } print "</tr>"; } print "</table>"; print "<br /><br /><font size=1 color=gray>sql: $sql</font>"; }?> </div>
About the Authors:
Brett Hardin and Billy Rios run, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting

Post a Comment


* Indicates a required field.