AppSec Blog

Courage is the price that life exacts for granting peace.
- Amelia Earhart

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

... <snip> ... if (isset($_GET['action']) || isset($_POST['prune']) || isset($_POST['prune_comply'])) { if (isset($_POST['prune_comply'])) { confirm_referrer('admin_prune.php'); $prune_from = $_POST['prune_from']; $prune_days = intval($_POST['prune_days']); $prune_date = ($prune_days) ? time() - ($prune_days*86400) : -1; @set_time_limit(0); if ($prune_from == 'all') { $result = $db->query('SELECT id FROM '.$db->prefix.'forums') or error('Unable to fetch forum list', __FILE__, __LINE__, $db->error()); $num_forums = $db->num_rows($result); for ($i = 0; $i < $num_forums; ++$i) { $fid = $db->result($result, $i); prune($fid, $_POST['prune_sticky'], $prune_date); update_forum($fid); } } else { $prune_from = intval($prune_from); prune($prune_from, $_POST['prune_sticky'], $prune_date); update_forum($prune_from); } // Locate any "orphaned redirect topics" and delete them $result = $db->query('SELECT t1.id FROM '.$db->prefix.'topics AS t1 LEFT JOIN '.$db->prefix.'topics AS t2 ON t1.moved_to=t2.id WHERE t2.id IS NULL AND t1.moved_to IS NOT NULL') or error('Unable to fetch redirect topics', __FILE__, __LINE__, $db->error()); $num_orphans = $db->num_rows($result); if ($num_orphans) { for ($i = 0; $i < $num_orphans; ++$i) $orphans[] = $db->result($result, $i); $db->query('DELETE FROM '.$db->prefix.'topics WHERE id IN('.implode(',', $orphans).')') or error('Unable to delete redirect topics', __FILE__, __LINE__, $db->error()); } redirect('admin_prune.php', 'Posts pruned. Redirecting &hellip;'); } $prune_days = $_POST['req_prune_days']; if (!@preg_match('#^\d+$#', $prune_days)) message('Days to prune must be a positive integer.'); $prune_date = time() - ($prune_days*86400); $prune_from = $_POST['prune_from']; // Concatenate together the query for counting number or topics to prune $sql = 'SELECT COUNT(id) FROM '.$db->prefix.'topics WHERE last_post<'.$prune_date.' AND moved_to IS NULL'; if ($_POST['prune_sticky'] == '0') $sql .= ' AND sticky=\'0\"; if ($prune_from != 'all') { $prune_from = intval($prune_from); $sql .= ' AND forum_id='.$prune_from; // Fetch the forum name (just for cosmetic reasons) $result = $db->query('SELECT forum_name FROM '.$db->prefix.'forums WHERE id='.$prune_from) or error('Unable to fetch forum name', __FILE__, __LINE__, $db->error()); $forum = '"'.pun_htmlspecialchars($db->result($result)).'"'; } else $forum = 'all forums'; $result = $db->query($sql) or error('Unable to fetch topic prune count', __FILE__, __LINE__, $db->error()); $num_topics = $db->result($result); if (!$num_topics) message('There are no topics that are '.$prune_days.' days old. Please decrease the value of "Days old" and try again.'); $page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / Admin / Prune'; require PUN_ROOT.'header.php'; generate_admin_menu('prune'); ?> <div class="blockform"> <h2><span>Prune</span></h2> <div class="box"> <form method="post" action="admin_prune.php?action=foo"> <div class="inform"> <input type="hidden" name="prune_days" value="<?php echo $prune_days ?>" /> <input type="hidden" name="prune_sticky" value="<?php echo $_POST['prune_sticky'] ?>" /> <input type="hidden" name="prune_from" value="<?php echo $prune_from ?>" /> <fieldset> <legend>Confirm prune posts</legend> <div class="infldset"> <p>Are you sure that you want to prune all topics older than <?php echo $prune_days ?> days from <?php echo $forum ?>? (<?php echo $num_topics ?> topics)</p> <p>WARNING! Pruning posts deletes them permanently.</p> </div> </fieldset> </div> <p><input type="submit" name="prune_comply" value="Prune" /><a href="javascript:history.go(-1)">Go back</a></p> </form> </div> </div> <div class="clearer"></div> </div> ... <snip> ...
About the Authors:
Brett Hardin and Billy Rios run spotthevuln.com, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting http://spotthevuln.com/about-spot-the-vuln/