AppSec Blog

Spot the Vuln - Fall

Some rise by sin, and some by virtue fall.
William Shakespeare

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

<?php ...snip... function QcodoHandleError($__exc_errno, $__exc_errstr, $__exc_errfile, $__exc_errline, $blnExit = true) { // If a command is called with "@", then we should return if (error_reporting() == 0) return; if (class_exists('QApplicationBase')) QApplicationBase::$ErrorFlag = true; global $__exc_strType; if (isset($__exc_strType)) return; $__exc_strType = "Error"; $__exc_strMessage = $__exc_errstr; switch ($__exc_errno) { case E_ERROR: $__exc_strObjectType = "E_ERROR"; break; case E_WARNING: $__exc_strObjectType = "E_WARNING"; break; case E_PARSE: $__exc_strObjectType = "E_PARSE"; break; case E_NOTICE: $__exc_strObjectType = "E_NOTICE"; break; case E_STRICT: $__exc_strObjectType = "E_STRICT"; break; case E_CORE_ERROR: $__exc_strObjectType = "E_CORE_ERROR"; break; case E_CORE_WARNING: $__exc_strObjectType = "E_CORE_WARNING"; break; case E_COMPILE_ERROR: $__exc_strObjectType = "E_COMPILE_ERROR"; break; case E_COMPILE_WARNING: $__exc_strObjectType = "E_COMPILE_WARNING"; break; case E_USER_ERROR: $__exc_strObjectType = "E_USER_ERROR"; break; case E_USER_WARNING: $__exc_strObjectType = "E_USER_WARNING"; break; case E_USER_NOTICE: $__exc_strObjectType = "E_USER_NOTICE"; break; default: $__exc_strObjectType = "Unknown"; break; } $__exc_strFilename = $__exc_errfile; $__exc_intLineNumber = $__exc_errline; $__exc_strStackTrace = ""; $__exc_objBacktrace = debug_backtrace(); for ($__exc_intIndex = 0; $__exc_intIndex < count($__exc_objBacktrace); $__exc_intIndex++) { $__exc_objItem = $__exc_objBacktrace[$__exc_intIndex]; $__exc_strKeyFile = (array_key_exists("file", $__exc_objItem)) ? $__exc_objItem["file"] : ""; $__exc_strKeyLine = (array_key_exists("line", $__exc_objItem)) ? $__exc_objItem["line"] : ""; $__exc_strKeyClass = (array_key_exists("class", $__exc_objItem)) ? $__exc_objItem["class"] : ""; $__exc_strKeyType = (array_key_exists("type", $__exc_objItem)) ? $__exc_objItem["type"] : ""; $__exc_strKeyFunction = (array_key_exists("function", $__exc_objItem)) ? $__exc_objItem["function"] : ""; $__exc_strStackTrace .= sprintf("#%s %s(%s): %s%s%s()\n", $__exc_intIndex, $__exc_strKeyFile, $__exc_strKeyLine, $__exc_strKeyClass, $__exc_strKeyType, $__exc_strKeyFunction); } if (ob_get_length()) { $__exc_strRenderedPage = ob_get_contents(); ob_clean(); } // Call to display the Error Page (as defined in require(__DOCROOT__ . ERROR_PAGE_PATH); if($blnExit) exit; } function PrepDataForScript($strData) { $strData = str_replace("\", "\\", $strData); $strData = str_replace("\n", "\n", $strData); $strData = str_replace("\r", "\r", $strData); $strData = str_replace("\"", "&quot;", $strData); $strData = str_replace("</script>", "&lt/script&gt", $strData); $strData = str_replace("</Script>", "&lt/script&gt", $strData); $strData = str_replace("</SCRIPT>", "&lt/script&gt", $strData); return $strData; } ?>
About the Authors:
Brett Hardin and Billy Rios run, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting

Post a Comment


* Indicates a required field.