AppSec Blog

AppSec Blog

Spot the Vuln - Percentage

100 per cent of us die, and the percentage cannot be increased.
C.S. Lewis

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

<?php ...snip... } elseif (isset($_POST['fetch'])) { // ajax pagination if (function_exists('wp_timezone_override_offset')) wp_timezone_override_offset(); $st = (int) $_POST['fetch'] - 1; if (!empty($_POST['title'])) { $cond = "and m.title LIKE '%" . mysql_real_escape_string($_POST['title']) . "%' "; } else $cond = ''; if ($_POST['preacher'] != 0) { $cond .= 'and m.preacher_id = ' . (int) $_POST['preacher'] . ' '; } if ($_POST['series'] != 0) { $cond .= 'and m.series_id = ' . (int) $_POST['series'] . ' '; } $m = $wpdb->get_results("SELECT SQL_CALC_FOUND_ROWS m.id, m.title, m.datetime, p.name as pname, s.name as sname, ss.name as ssname FROM {$wpdb->prefix}sb_sermons as m LEFT JOIN {$wpdb->prefix}sb_preachers as p ON m.preacher_id = p.id LEFT JOIN {$wpdb->prefix}sb_services as s ON m.service_id = s.id LEFT JOIN {$wpdb->prefix}sb_series as ss ON m.series_id = ss.id WHERE 1=1 {$cond} ORDER BY m.datetime desc, s.time desc LIMIT {$st}, ".sb_get_option('sermons_per_page')); $cnt = $wpdb->get_var("SELECT FOUND_ROWS()"); ?> <?php foreach ($m as $sermon): ?> <tr class="<?php echo ++$i % 2 == 0 ? 'alternate' : '' ?>"> <th style="text-align:center" scope="row"><?php echo $sermon->id ?></th> <td><?php echo stripslashes($sermon->title) ?></td> <td><?php echo stripslashes($sermon->pname) ?></td> <td><?php echo ($sermon->datetime == '1970-01-01 00:00:00') ? __('Unknown', $sermon_domain) : strftime('%d %b %y', strtotime($sermon->datetime)); ?></td> <td><?php echo stripslashes($sermon->sname) ?></td> <td><?php echo stripslashes($sermon->ssname) ?></td> <td><?php echo sb_sermon_stats($sermon->id) ?></td> <td style="text-align:center"> <a href="<?php echo $_SERVER['PHP_SELF']?>?page=sermon-browser/new_sermon.php&mid=<?php echo $sermon->id ?>"><?php _e('Edit', $sermon_domain) ?></a> | <a onclick="return confirm('Are you sure?')" href="<?php echo $_SERVER['PHP_SELF']?>?page=sermon-browser/sermon.php&mid=<?php echo $sermon->id ?>"><?php _e('Delete', $sermon_domain) ?></a> </td> </tr> <?php endforeach ?> <script type="text/javascript"> <?php if($cnt<sb_get_option('sermons_per_page') || $cnt <= $st+sb_get_option('sermons_per_page')): ?> jQuery('#right').css('display','none'); <?php elseif($cnt > $st+sb_get_option('sermons_per_page')): ?> jQuery('#right').css('display',''); <?php endif ?> </script> <?php } elseif (isset($_POST['fetchU']) || isset($_POST['fetchL']) || isset($_POST['search'])) { // ajax pagination (uploads) if (isset($_POST['fetchU'])) { $st = (int) $_POST['fetchU'] - 1; $abc = $wpdb->get_results("SELECT f.*, s.title FROM {$wpdb->prefix}sb_stuff AS f LEFT JOIN {$wpdb->prefix}sb_sermons AS s ON f.sermon_id = s.id WHERE f.sermon_id = 0 AND f.type = 'file' ORDER BY f.name LIMIT {$st}, ".sb_get_option('sermons_per_page')); } elseif (isset($_POST['fetchL'])) { $st = (int) $_POST['fetchL'] - 1; $abc = $wpdb->get_results("SELECT f.*, s.title FROM {$wpdb->prefix}sb_stuff AS f LEFT JOIN {$wpdb->prefix}sb_sermons AS s ON f.sermon_id = s.id WHERE f.sermon_id <> 0 AND f.type = 'file' ORDER BY f.name LIMIT {$st}, ".sb_get_option('sermons_per_page')); } else { $s = mysql_real_escape_string($_POST['search']); $abc = $wpdb->get_results("SELECT f.*, s.title FROM {$wpdb->prefix}sb_stuff AS f LEFT JOIN {$wpdb->prefix}sb_sermons AS s ON f.sermon_id = s.id WHERE f.name LIKE '%{$s}%' AND f.type = 'file' ORDER BY f.name;"); } ?> <?php if (count($abc) >= 1): ?> <?php foreach ($abc as $file): ?> <tr class="file <?php echo (++$i % 2 == 0) ? 'alternate' : '' ?>" id="<?php echo $_POST['fetchU'] ? '' : 's' ?>file<?php echo $file->id ?>"> <th style="text-align:center" scope="row"><?php echo $file->id ?></th> <td id="<?php echo $_POST['fetchU'] ? '' : 's' ?><?php echo $file->id ?>"><?php echo substr($file->name, 0, strrpos($file->name, '.')) ?></td> <td style="text-align:center"><?php echo isset($filetypes[substr($file->name, strrpos($file->name, '.') + 1)]['name']) ? $filetypes[substr($file->name, strrpos($file->name, '.') + 1)]['name'] : strtoupper(substr($file->name, strrpos($file->name, '.') + 1)) ?></td> <?php if (!isset($_POST['fetchU'])) { ?><td><?php echo stripslashes($file->title) ?></td><?php } ?> <td style="text-align:center"> <script type="text/javascript" language="javascript"> function deletelinked_<?php echo $file->id;?>(filename, filesermon) { if (confirm('Do you really want to delete '+filename+'?')) { if (filesermon != '') { return confirm('This file is linked to the sermon called ['+filesermon+']. Are you sure you want to delete it?'); } return true; } return false; } </script> <?php if (isset($_POST['fetchU'])) { ?><a id="" href="<?php echo $_SERVER['PHP_SELF']."?page=sermon-browser/new_sermon.php&amp;getid3={$file->id}"; ?>"><?php _e('Create sermon', $sermon_domain) ?></a> | <?php } ?> <a id="link<?php echo $file->id ?>" href="javascript:rename(<?php echo $file->id ?>, '<?php echo $file->name ?>')"><?php _e('Rename', $sermon_domain) ?></a> | <a onclick="return deletelinked_<?php echo $file->id;?>('<?php echo str_replace("'", '', $file->name) ?>', '<?php echo str_replace("'", '', $file->title) ?>');" href="javascript:kill(<?php echo $file->id ?>, '<?php echo $file->name ?>');"><?php _e('Delete', $sermon_domain) ?></a> </td> </tr> <?php endforeach ?> <?php else: ?> <tr> <td><?php _e('No results', $sermon_domain) ?></td> </tr> <?php endif ?> <?php } die(); ?>
About the Authors:
Brett Hardin and Billy Rios run spotthevuln.com, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting http://spotthevuln.com/about-spot-the-vuln/

Post a Comment






Captcha

* Indicates a required field.