AppSec Blog: Category - Spot the Vuln

AppSec Blog:

Spot the Vuln Boundaries - SQL Injection

Details


Affected Software: My Calendar Wordpress Plugin

Fixed in Version: >1.7.2

Issue Type: SQL Injection

Original Code: Found Here

Details


This week's bug was a subtle mistake in the usage of an escaping routine. It seems the developer understood the dangers of SQL injection and therefore used an escaping routine to sanitize user controlled input before using that input to build a SQL statement. Unfortunately, the developer overlooked a crucial characteristic and used the wrong escaping routine. Looking at the vulnerable line, we see the following:
...

Spot the Vuln - Boundaries

I like pushing boundaries.
Lady Gaga

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.
...    

Spot the Vuln - Floods - SQL Injection

Details


Affected Software: Corpse C&C

Fixed in Version: ?

Issue Type: SQL Injection

Original Code: Found Here

Details


This week's bug is in Corpse C&C. SpotTheVuln reader Christina hits it right on the head, line 32 contains a ridiculous amount of SQL injection. Most of the parameters passed to the INSERT statement results in SQL injection. $id, $info, and $user are all set directly from $_GET or $_POST and are used in the SQL statement without any sanitization. Despite its name, $real_ip is also completely attacker controlled and can be used for SQL injection. Getenv("HTTP_X_FORWARDED_FOR") doesn't sanitize the user controlled value in any way. For some reason, many developers assume the X-Forwarded-For header will only specify an IP address or domain name. X-Forwarded-For can contain any characters (including angle brackets, ...

Spot the Vuln - Floods

The moment we begin to fear the opinions of others and hesitate to tell the truth that is in us, and from motives of policy are silent when we should speak, the divine floods of light and life no longer flow into our souls.
Elizabeth Cady Stanton

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.
...    

Spot the Vuln Grammys - Cross Site Scripting

Details


Affected Software: Corpse C&C

Fixed in Version: ?

Issue Type: XSS

Original Code: Found Here

Details


Fairly straightforward XSS bug here. This week's bug can be found in the index.php file for the Corpse C&C. Specifically, the index file located at Corpse/info/socks/index.php. Buried deep within the print statement starting on line 30 are two unsanitized, unescaped variables ($states and $countrys). Both $states and $countrys are taken directly from $_POST parameters and assigned to php variables. Those php variables are then used to build HTML markup. Buried within a large print statement, a little difficult to spot, but this bug is classic XSS.

...