AppSec Blog

20 Dec 2010

Spot the Vuln - Price

0 comments Posted by Billy Rios
Filed under Spot the Vuln

Courage is the price that life exacts for granting peace.
- Amelia Earhart

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

... <snip> ... if (isset($_GET['action']) || isset($_POST['prune']) || isset($_POST['prune_comply'])) { if (isset($_POST['prune_comply'])) { confirm_referrer('admin_prune.php'); $prune_from = $_POST['prune_from']; $prune_days = intval($_POST['prune_days']); $prune_date = ($prune_days) ? time() - ($prune_days*86400) : -1; @set_time_limit(0); if ($prune_from == 'all') { $result = $db->query('SELECT id FROM '.$db->prefix.'forums') or error('Unable to fetch forum list', __FILE__, __LINE__, $db->error()); $num_forums = $db->num_rows($result); for ($i = 0; $i < $num_forums; ++$i) { $fid = $db->result($result, $i); prune($fid, $_POST['prune_sticky'], $prune_date); update_forum($fid); } } else { $prune_from = intval($prune_from); prune($prune_from, $_POST['prune_sticky'], $prune_date); update_forum($prune_from); } // Locate any "orphaned redirect topics" and delete them $result = $db->query('SELECT t1.id FROM '.$db->prefix.'topics AS t1 LEFT JOIN '.$db->prefix.'topics AS t2 ON t1.moved_to=t2.id WHERE t2.id IS NULL AND t1.moved_to IS NOT NULL') or error('Unable to fetch redirect topics', __FILE__, __LINE__, $db->error()); $num_orphans = $db->num_rows($result); if ($num_orphans) { for ($i = 0; $i < $num_orphans; ++$i) $orphans[] = $db->result($result, $i); $db->query('DELETE FROM '.$db->prefix.'topics WHERE id IN('.implode(',', $orphans).')') or error('Unable to delete redirect topics', __FILE__, __LINE__, $db->error()); } redirect('admin_prune.php', 'Posts pruned. Redirecting &hellip;'); } $prune_days = $_POST['req_prune_days']; if (!@preg_match('#^\d+$#', $prune_days)) message('Days to prune must be a positive integer.'); $prune_date = time() - ($prune_days*86400); $prune_from = $_POST['prune_from']; // Concatenate together the query for counting number or topics to prune $sql = 'SELECT COUNT(id) FROM '.$db->prefix.'topics WHERE last_post<'.$prune_date.' AND moved_to IS NULL'; if ($_POST['prune_sticky'] == '0') $sql .= ' AND sticky=\'0\"; if ($prune_from != 'all') { $prune_from = intval($prune_from); $sql .= ' AND forum_id='.$prune_from; // Fetch the forum name (just for cosmetic reasons) $result = $db->query('SELECT forum_name FROM '.$db->prefix.'forums WHERE id='.$prune_from) or error('Unable to fetch forum name', __FILE__, __LINE__, $db->error()); $forum = '"'.pun_htmlspecialchars($db->result($result)).'"'; } else $forum = 'all forums'; $result = $db->query($sql) or error('Unable to fetch topic prune count', __FILE__, __LINE__, $db->error()); $num_topics = $db->result($result); if (!$num_topics) message('There are no topics that are '.$prune_days.' days old. Please decrease the value of "Days old" and try again.'); $page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / Admin / Prune'; require PUN_ROOT.'header.php'; generate_admin_menu('prune'); ?> <div class="blockform"> <h2><span>Prune</span></h2> <div class="box"> <form method="post" action="admin_prune.php?action=foo"> <div class="inform"> <input type="hidden" name="prune_days" value="<?php echo $prune_days ?>" /> <input type="hidden" name="prune_sticky" value="<?php echo $_POST['prune_sticky'] ?>" /> <input type="hidden" name="prune_from" value="<?php echo $prune_from ?>" /> <fieldset> <legend>Confirm prune posts</legend> <div class="infldset"> <p>Are you sure that you want to prune all topics older than <?php echo $prune_days ?> days from <?php echo $forum ?>? (<?php echo $num_topics ?> topics)</p> <p>WARNING! Pruning posts deletes them permanently.</p> </div> </fieldset> </div> <p><input type="submit" name="prune_comply" value="Prune" /><a href="javascript:history.go(-1)">Go back</a></p> </form> </div> </div> <div class="clearer"></div> </div> ... <snip> ...
About the Authors:
Brett Hardin and Billy Rios run spotthevuln.com, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting http://spotthevuln.com/about-spot-the-vuln/

Permalink | Comments RSS Feed - Post a comment | Trackback URL

Post a Comment






Captcha


* Indicates a required field.

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





Share

Categories
Recent Posts
Archives
Links
Latest Blog Posts

Exploring the DevSecOps Toolchain
October 14, 2018 - 7:40 AM

Your Secure DevOps Questions Answered
September 13, 2018 - 6:55 PM

Continuous Opportunity - DevOps and Security
August 23, 2017 - 2:33 PM

View More »

Latest Tweets @sansappsec

RunC vulnerability allows container breakout and root RCE on [...]
February 13, 2019 - 3:47 AM

Come learn about serverless security and much more in #540. [...]
January 28, 2019 - 1:43 AM

Congratulations Mark! https://t.co/JbsNYfpU3G
January 25, 2019 - 12:56 PM

Latest Papers

One-Click Forensic Analysis: A SANS Review of EnCase Forensic
By Jake Williams

Cloud Security: Are You Ready?
By Dave Shackleford

Tailoring Intelligence for Automated Response
By Sonny Sarai

View More »

"The course used real code with simple scenarios illustrating a full attack scenario and how to fix the vulnerabilities."
- Jeffrey Bell, Lockheed Martin

"Very practical. Something every developer should attend."
- Chris Yokley, Baldwin County Commission

"Great overview of different types of attacks and how to mitigate them."
- Tim Sargent, Kinecta Federal Credit Union