AppSec Blog

AppSec Blog

Spot the Vuln - Floods

The moment we begin to fear the opinions of others and hesitate to tell the truth that is in us, and from motives of policy are silent when we should speak, the divine floods of light and life no longer flow into our souls.
Elizabeth Cady Stanton

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

<?php

$use_mysql = 1;

if ($use_mysql == 1) {
require_once('./mysqllog.php');
require_once('./geoipcity.inc');
}

$ip = getenv("REMOTE_ADDR");
$real_ip = getenv("HTTP_X_FORWARDED_FOR");

if (isset($_GET['id'])) {
$id = $_GET['id']; 
} else {
$id = $_POST['id'];
}

$info = $_POST['info'];
$user = $_POST['user'];

if ($use_mysql == 1) {
//-----------------------------------
$gi = geoip_open('./GeoIPCity.dat', GEOIP_STANDARD);
$record = geoip_record_by_addr($gi, $ip);
geoip_close($gi);
//-----------------------------------
$info = decode_string($info);
if(@!mysql_connect($mysql_host,$mysql_login,$mysql_pass)) {echo '<p class="err"> Error. Cant connect to mysql server </p>'; }
if(@!mysql_selectdb($mysql_db)) {echo '<p class="err"> Error. Cant connect to DB</p>'; }
$query = 'INSERT INTO pass (add_date,id,uidlog,ip_real,ip,pass,country,city,zip)
  VALUES (now(), "'. $id . '", "'. $user .'", "'. $real_ip . '", "'. $ip .'", "'. $info .'", "'. $record->country_name .'", "'. $record->city .'", "'. $record->postal_code .'")';
if(@!mysql_query($query)) {echo '<p class="err"> Error. Cant execute query</p>';  }
}
else {
$date = date("Y-m-d");
$time=date("H:i:s");

list($year, $month, $day) = explode('-', $date);
$filename = "pass.$day.$month.txt";
$log = "$info@@@@@$user@@@@@$id@@@@@$real_ip@@@@@$ip@@@@@$date@@@@@$time\n";
$fh = fopen("logs/$filename", "a+");
fputs($fh, $log);
fclose($fh);
}

function decode_string($string) {
    $bindata = '';
    for ($i=0;$i<strlen($string);$i+=2) {
        $bindata.=chr(hexdec(substr($string,$i,2)));
    }
    return addslashes($bindata);
}
?>

About the Authors:
Brett Hardin and Billy Rios run spotthevuln.com, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting http://spotthevuln.com/about-spot-the-vuln/

Post a Comment






* Indicates a required field.