Courage is the price that life exacts for granting peace.
- Amelia Earhart
Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.
... <snip> ...
if (isset($_GET['action']) || isset($_POST['prune']) || isset($_POST['prune_comply']))
{
if (isset($_POST['prune_comply']))
{
confirm_referrer('admin_prune.php');
$prune_from = $_POST['prune_from'];
$prune_days = intval($_POST['prune_days']);
$prune_date = ($prune_days) ? time() - ($prune_days*86400) : -1;
@set_time_limit(0);
if ($prune_from == 'all')
{
$result = $db->query('SELECT id FROM '.$db->prefix.'forums') or error('Unable to fetch forum list', __FILE__, __LINE__, $db->error());
$num_forums = $db->num_rows($result);
for ($i = 0; $i < $num_forums; ++$i)
{
$fid = $db->result($result, $i);
prune($fid, $_POST['prune_sticky'], $prune_date);
update_forum($fid);
}
}
else
{
$prune_from = intval($prune_from);
prune($prune_from, $_POST['prune_sticky'], $prune_date);
update_forum($prune_from);
}
// Locate any "orphaned redirect topics" and delete them
$result = $db->query('SELECT t1.id FROM '.$db->prefix.'topics AS t1 LEFT JOIN '.$db->prefix.'topics AS t2 ON t1.moved_to=t2.id WHERE t2.id IS NULL AND t1.moved_to IS NOT NULL') or error('Unable to fetch redirect topics', __FILE__, __LINE__, $db->error());
$num_orphans = $db->num_rows($result);
if ($num_orphans)
{
for ($i = 0; $i < $num_orphans; ++$i)
$orphans[] = $db->result($result, $i);
$db->query('DELETE FROM '.$db->prefix.'topics WHERE id IN('.implode(',', $orphans).')') or error('Unable to delete redirect topics', __FILE__, __LINE__, $db->error());
}
redirect('admin_prune.php', 'Posts pruned. Redirecting …');
}
$prune_days = $_POST['req_prune_days'];
if (!@preg_match('#^\d+$#', $prune_days))
message('Days to prune must be a positive integer.');
$prune_date = time() - ($prune_days*86400);
$prune_from = $_POST['prune_from'];
// Concatenate together the query for counting number or topics to prune
$sql = 'SELECT COUNT(id) FROM '.$db->prefix.'topics WHERE last_post<'.$prune_date.' AND moved_to IS NULL';
if ($_POST['prune_sticky'] == '0')
$sql .= ' AND sticky=\'0\";
if ($prune_from != 'all')
{
$prune_from = intval($prune_from);
$sql .= ' AND forum_id='.$prune_from;
// Fetch the forum name (just for cosmetic reasons)
$result = $db->query('SELECT forum_name FROM '.$db->prefix.'forums WHERE id='.$prune_from) or error('Unable to fetch forum name', __FILE__, __LINE__, $db->error());
$forum = '"'.pun_htmlspecialchars($db->result($result)).'"';
}
else
$forum = 'all forums';
$result = $db->query($sql) or error('Unable to fetch topic prune count', __FILE__, __LINE__, $db->error());
$num_topics = $db->result($result);
if (!$num_topics)
message('There are no topics that are '.$prune_days.' days old. Please decrease the value of "Days old" and try again.');
$page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / Admin / Prune';
require PUN_ROOT.'header.php';
generate_admin_menu('prune');
?>
<div class="blockform">
<h2><span>Prune</span></h2>
<div class="box">
<form method="post" action="admin_prune.php?action=foo">
<div class="inform">
<input type="hidden" name="prune_days" value="<?php echo $prune_days ?>" />
<input type="hidden" name="prune_sticky" value="<?php echo $_POST['prune_sticky'] ?>" />
<input type="hidden" name="prune_from" value="<?php echo $prune_from ?>" />
<fieldset>
<legend>Confirm prune posts</legend>
<div class="infldset">
<p>Are you sure that you want to prune all topics older than <?php echo $prune_days ?> days from <?php echo $forum ?>? (<?php echo $num_topics ?> topics)</p>
<p>WARNING! Pruning posts deletes them permanently.</p>
</div>
</fieldset>
</div>
<p><input type="submit" name="prune_comply" value="Prune" /><a href="javascript:history.go(-1)">Go back</a></p>
</form>
</div>
</div>
<div class="clearer"></div>
</div>
... <snip> ...
About the Authors:
Brett Hardin and Billy Rios run spotthevuln.com, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting http://spotthevuln.com/about-spot-the-vuln/
Post a Comment
* Indicates a required field.