AppSec Blog

Spot the Vuln - Light

To send light into the darkness of men's hearts - such is the duty of the artist.
- Schumann

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

<?php ... snip ... require(""); header("Content-type: image/svg+xml"); /********** HTTP GET Based Conf ***********/ $ifnum=@$_GET["ifnum"]; // BSD / SNMP interface name / number $ifname=@$_GET["ifname"]?$_GET["ifname"]:"Interface $ifnum"; //Interface name that will be showed on top right of graph /********* Other conf *******/ $scale_type="follow"; //Autoscale default setup : "up" = only increase scale; "follow" = increase and decrease scale according to current graphed datas $nb_plot=120; //NB plot in graph $time_interval=1; //Refresh time Interval $unit="bits"; //Initial unit type: "bits" or "bytes" $fetch_link = "stats.php?if=$ifnum"; //SVG attributes $attribs['bg']='fill="#EEEEEE" stroke="none" stroke-width="0" opacity="1"'; $attribs['axis']='fill="black" stroke="black"'; $attribs['in']='fill="#00CC00" font-family="Tahoma, Verdana, Arial, Helvetica, sans-serif" font-size="7"'; $attribs['out']='fill="#FF0000" font-family="Tahoma, Verdana, Arial, Helvetica, sans-serif" font-size="7"'; $attribs['graph_in']='fill="none" stroke="#00CC00" stroke-opacity="0.8"'; $attribs['graph_out']='fill="none" stroke="#FF0000" stroke-opacity="0.8"'; $attribs['legend']='fill="black" font-family="Tahoma, Verdana, Arial, Helvetica, sans-serif" font-size="4"'; $attribs['graphname']='fill="#435370" font-family="Tahoma, Verdana, Arial, Helvetica, sans-serif" font-size="8"'; $attribs['grid_txt']='fill="gray" font-family="Tahoma, Verdana, Arial, Helvetica, sans-serif" font-size="6"'; $attribs['grid']='stroke="gray" stroke-opacity="0.5"'; $attribs['switch_unit']='fill="#435370" font-family="Tahoma, Verdana, Arial, Helvetica, sans-serif" font-size="4" text-decoration="underline"'; $attribs['switch_scale']='fill="#435370" font-family="Tahoma, Verdana, Arial, Helvetica, sans-serif" font-size="4" text-decoration="underline"'; $attribs['error']='fill="red" font-family="Arial" font-size="4"'; $attribs['collect_initial']='fill="gray" font-family="Tahoma, Verdana, Arial, Helvetica, sans-serif" font-size="4"'; //Error text if we cannot fetch data : depends on which method is used $error_text = gettext("Cannot get data about interface") . " $ifnum"; $height=100; //SVG internal height : do not modify $width=200; //SVG internal width : do not modify $encoding = system_get_language_codeset(); /********* Graph DATA **************/ header("Last-Modified: " . gmdate( "D, j M Y H:i:s" ) . " GMT"); header("Expires: " . gmdate( "D, j M Y H:i:s", time() ) . " GMT"); header("Cache-Control: no-store, no-cache, must-revalidate"); // HTTP/1.1 header("Cache-Control: post-check=0, pre-check=0", FALSE); header("Pragma: no-cache"); // HTTP/1.0 header("Content-type: image/svg+xml"); echo "<?xml version=\"1.0\" encoding=\"{$encoding}\"?>\n"; ?> <svg width="100%" height="100%" viewBox="0 0 <?=$width?> <?=$height?>" preserveAspectRatio="none" xml:space="preserve" xmlns="" xmlns:xlink="" onload="init(evt)"> <g id="graph"> <rect id="bg" x1="0" y1="0" width="100%" height="100%" <?=$attribs['bg']?>/> <line id="axis_x" x1="0" y1="0" x2="0" y2="100%" <?=$attribs['axis']?>/> <line id="axis_y" x1="0" y1="100%" x2="100%" y2="100%" <?=$attribs['axis']?>/> <path id="graph_out" d="M0 <?=$height?> L 0 <?=$height?>" <?=$attribs['graph_out']?>/> <path id="graph_in" d="M0 <?=$height?> L 0 <?=$height?>" <?=$attribs['graph_in']?>/> <path id="grid" d="M0 <?=$height/4*1?> L <?=$width?> <?=$height/4*1?> M0 <?=$height/4*2?> L <?=$width?> <?=$height/4*2?> M0 <?=$height/4*3?> L <?=$width?> <?=$height/4*3?>" <?=$attribs['grid']?>/> <text id="grid_txt1" x="<?=$width?>" y="<?=$height/4*1?>" <?=$attribs['grid_txt']?> text-anchor="end">75%</text> <text id="grid_txt2" x="<?=$width?>" y="<?=$height/4*2?>" <?=$attribs['grid_txt']?> text-anchor="end">50%</text> <text id="grid_txt3" x="<?=$width?>" y="<?=$height/4*3?>" <?=$attribs['grid_txt']?> text-anchor="end">25%</text> <text id="graph_in_lbl" x="5" y="8" <?=$attribs['in']?>><?=gettext("In");?> <tspan id="graph_in_txt" <?=$attribs['in']?>> </tspan></text> <text id="graph_out_lbl" x="5" y="16" <?=$attribs['out']?>><?=gettext("Out");?> <tspan id="graph_out_txt" <?=$attribs['out']?>> </tspan></text> <text id="ifname" x="<?=$width?>" y="8" <?=$attribs['graphname']?> text-anchor="end"><?=$ifname?></text> <text id="switch_unit" x="<?=$width*0.55?>" y="5" <?=$attribs['switch_unit']?>><?=sprintf(gettext("Switch to %s/s"), ("bits" === $unit) ? "bytes" : "bits");?></text> <text id="switch_scale" x="<?=$width*0.55?>" y="11" <?=$attribs['switch_scale']?>><?=gettext("AutoScale");?> (<?=("up" === $scale_type) ? gettext("Up") : gettext("Follow");?>)</text> <text id="datetime" x="<?=$width*0.55?>" y="17" <?=$attribs['legend']?>> </text> <text id="graphlast" x="<?=$width*0.55?>" y="23" <?=$attribs['legend']?>><?=gettext("Graph shows last");?> <?=$time_interval*$nb_plot?> <?=gettext("seconds");?></text> <polygon id="axis_arrow_x" <?=$attribs['axis']?> points="<?=($width) . "," . ($height)?> <?=($width-2) . "," . ($height-2)?> <?=($width-2) . "," . $height?>"/> <text id="error" x="<?=$width*0.5?>" y="<?=$height*0.4?>" visibility="hidden" <?=$attribs['error']?> text-anchor="middle"><?=$error_text?></text> <text id="collect_initial" x="<?=$width*0.5?>" y="<?=$height*0.4?>" visibility="hidden" <?=$attribs['collect_initial']?> text-anchor="middle"><?=gettext("Collecting initial data, please wait...");?></text> </g> <script type="text/ecmascript"> <![CDATA[ /** * getURL is a proprietary Adobe function, but it's simplicity has made it very * popular. If getURL is undefined we spin our own by wrapping XMLHttpRequest. */ if (typeof getURL == 'undefined') { getURL = function(url, callback) { if (!url) throw 'No URL for getURL'; try { if (typeof callback.operationComplete == 'function') callback = callback.operationComplete; } catch (e) {} if (typeof callback != 'function') throw 'No callback function for getURL'; var http_request = null; if (typeof XMLHttpRequest != 'undefined') { http_request = new XMLHttpRequest(); } else if (typeof ActiveXObject != 'undefined') { try { http_request = new ActiveXObject('Msxml2.XMLHTTP'); } catch (e) { try { http_request = new ActiveXObject('Microsoft.XMLHTTP'); } catch (e) {} } } if (!http_request) throw 'Both getURL and XMLHttpRequest are undefined'; http_request.onreadystatechange = function() { if (http_request.readyState == 4) { callback( { success : true, content : http_request.responseText, contentType : http_request.getResponseHeader("Content-Type") } ); } }'GET', url, true); http_request.send(null); } }
About the Authors:
Brett Hardin and Billy Rios run, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting

Post a Comment


* Indicates a required field.