AppSec Blog

Spot the Vuln - Notes

The best way to waste your life, ... is by taking notes. The easiest way to avoid living is to just watch. Look for the details. Report. Don't participate.
Chuck Palahniuk

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

<?php ...snip... // tags $tags = explode(',', $_POST['tags']); $wpdb->query("DELETE FROM {$wpdb->prefix}sb_sermons_tags WHERE sermon_id = $id;"); foreach ($tags as $tag) { $clean_tag = trim(mysql_real_escape_string($tag)); $existing_id = $wpdb->get_var("SELECT id FROM {$wpdb->prefix}sb_tags WHERE name='$clean_tag'"); if (is_null($existing_id)) { $wpdb->query("INSERT INTO {$wpdb->prefix}sb_tags VALUES (null, '$clean_tag')"); $existing_id = $wpdb->insert_id; } $wpdb->query("INSERT INTO {$wpdb->prefix}sb_sermons_tags VALUES (null, $id, $existing_id)"); } sb_delete_unused_tags(); // everything is fine, get out of here! if(!isset($error)) { sb_ping_gallery(); echo "<script>document.location = '".$_SERVER['PHP_SELF']."?page=sermon-browser/sermon.php&saved=true';</script>"; die(); } } $id3_tags = array(); if (isset($_GET['getid3'])) { require_once('getid3/getid3.php'); $file_data = $wpdb->get_row("SELECT name, type FROM {$wpdb->prefix}sb_stuff WHERE id = ".$_GET['getid3']); if ($file_data !== NULL) { $getID3 = new getID3; if ($file_data->type == 'url') { $filename = substr($file_data->name, strrpos ($file_data->name, '/')+1); $sermonUploadDir = SB_ABSPATH.sb_get_option('upload_dir'); $tempfilename = $sermonUploadDir.preg_replace('/([ ])/e', 'chr(rand(97,122))', '').'.mp3′; if ($tempfile = @fopen($tempfilename, 'wb')) if ($remote_file = @fopen($file_data->name, 'r')) { $remote_contents = "; while (!feof($remote_file)) { $remote_contents .= fread($remote_file, 8192); if (strlen($remote_contents) > 65536) break; } fwrite($tempfile, $remote_contents); fclose($remote_file); fclose($tempfile); $id3_raw_tags = $getID3->analyze(realpath($tempfilename)); unlink ($tempfilename); } } else { $filename = $file_data->name; $id3_raw_tags = $getID3->analyze(realpath(SB_ABSPATH.sb_get_option('upload_dir').$filename)); } if (!isset($id3_raw_tags['tags'])) { echo '<div id="message" class="updated fade"><p><b>'.__('No ID3 tags found.', $sermon_domain); if ($file_data->type == 'url') echo ' Remote files must have id3v2 tags.'; echo '</b></div>'; } ...snip... ?>
About the Authors:
Brett Hardin and Billy Rios run, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting

Post a Comment


* Indicates a required field.