AppSec Blog

Spot the Vuln - Third

Sullivan's Law: When given the choice between two alternatives, always pick the third!
Patrick H. Sullivan

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.


insert( $ninja_annc_table_name, array( 'begindate' => $ninja_annc_begindate, 'enddate' => $ninja_annc_enddate, 'message' => $ninja_annc_message, 'active' => '0', 'location' => $ninja_annc_location ) );
}else{
$wpdb->update( $ninja_annc_table_name, array( 'begindate' => $ninja_annc_begindate, 'enddate' => $ninja_annc_enddate, 'message' => $ninja_annc_message, 'location' => $ninja_annc_location ), array( 'id' => $ninja_annc_id ));
}

echo "window.location = '".$admin_url."'";
} // END submit handling if()

//This if...else() statement handles the nuts and bolts of our html output.
//Eventually it will be replaced by a switch().
//Flow goes: Edit Announcement? -> New Announcement? -> Table.
//This part of our If...else statement creates the editing HTML
if($_REQUEST['action'] == 'edit') { //BEGIN edit handling if()

$ninja_annc_id = $_REQUEST['ninja_annc_id'];
$ninja_annc_row = $wpdb->get_row("SELECT * FROM $ninja_annc_table_name WHERE id = $ninja_annc_id", ARRAY_A);

$ninja_annc_id = $ninja_annc_row['id'];
$ninja_annc_location = $ninja_annc_row['location'];
$ninja_annc_message = stripslashes($ninja_annc_row['message']);
$ninja_annc_begin = $ninja_annc_row['begindate'];
$ninja_annc_end = $ninja_annc_row['enddate'];
$rightnow = current_time("timestamp");

if($ninja_annc_end != 0){
$ninja_annc_begindate = date("m/d/Y", $ninja_annc_begin);
$ninja_annc_begintimehr = date("g", $ninja_annc_begin);
$ninja_annc_begintimemin = date("i", $ninja_annc_begin);
$ninja_annc_begintimeampm = date("a", $ninja_annc_begin);

$ninja_annc_enddate = date("m/d/Y", $ninja_annc_end);
$ninja_annc_endtimehr = date("g", $ninja_annc_end);
$ninja_annc_endtimemin = date("i", $ninja_annc_end);
$ninja_annc_endtimeampm = date("a", $ninja_annc_end);

}else{
$ninja_annc_ignore = 1;
$ninja_annc_begindate = date("m/d/Y", $rightnow);
$ninja_annc_enddate = date("m/d/Y", $rightnow);
}

//$ninja_annc_begindate = $ninja_annc_begindate.' '.$ninja_annc_begintimehr.':'.$ninja_annc_begintimemin.$ninja_annc_begintimeampm;

//echo $ninja_annc_begindate;
wp_tiny_mce( false, // true makes the editor "teeny"
array(
"theme_advanced_path" => false
)
);
wp_tiny_mce_preload_dialogs();
?>

Edit Announcement - ID:

<input type="hidden" name="ninja_annc_id" value="">
Ignore Dates: <input type="checkbox" name="ignoredates" id="ignoredates" value="checked" >
Begin Date: <input type="text" class="date" name="begindate" id="begindate" value="" >
Time:
<select name="begintimehr" id="begintimehr" class="time" >
<?php
$x = 1;
while($x <= 12){
echo "<option";
if($x $x";
$x++;
}

?>
...snip...
?>

About the Authors:
Brett Hardin and Billy Rios run spotthevuln.com, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting http://spotthevuln.com/about-spot-the-vuln/

Post a Comment






Captcha


* Indicates a required field.