Spot the Vuln – Expands

Life shrinks or expands in proportion to one’s courage
Anais Nin

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

[sourcecode language=”php”]
$image)
// see if files exist in content – we don’t want to upload non-used selected files.
if( strpos($_REQUEST[‘content’], $image) !== false ) {
$desc = isset($_REQUEST[‘photo_description’][$key]) ? $_REQUEST[‘photo_description’][$key] : ”;
$upload = media_sideload_image($image, $post_ID, $desc);

// Replace the POSTED content with correct uploaded ones. Regex contains fix for Magic Quotes
if( !is_wp_error($upload) ) $content = preg_replace(‘/]*)src=\\\?(\”|\’)’.preg_quote($image, ‘/’).’\\\?(\2)([^>\/]*)\/*>/is’, $upload, $content);
}

// set the post_content and status
$quick[‘post_status’] = isset($_REQUEST[‘publish’]) ? ‘publish’ : ‘draft’;
$quick[‘post_content’] = $content;
// error handling for $post
if ( is_wp_error($post_ID)) {
wp_die($id);
wp_delete_post($post_ID);
// error handling for media_sideload
} elseif ( is_wp_error($upload)) {
wp_die($upload);
wp_delete_post($post_ID);
} else {
$quick[‘ID’] = $post_ID;
wp_update_post($quick);
}
return $post_ID;
}

// For submitted posts.
if ( isset($_REQUEST[‘action’]) && ‘post’ == $_REQUEST[‘action’] ) {
check_admin_referer(‘press-this’);
$post_ID = press_it();
$posted = $post_ID;
} else {
$post_ID = 0;
}

// Set Variables
$title = isset($_GET[‘t’]) ? esc_html(aposfix(stripslashes($_GET[‘t’]))) : ”;
$selection = isset($_GET[‘s’]) ? trim( aposfix( stripslashes($_GET[‘s’]) ) ) : ”;
if ( ! empty($selection) ) {
$selection = preg_replace(‘/(\r?\n|\r)/’, ‘

‘, $selection);
$selection = ‘

‘.str_replace(‘

‘, ”, $selection).’

‘;
}
$url = isset($_GET[‘u’]) ? esc_url($_GET[‘u’]) : ”;
$image = isset($_GET[‘i’]) ? $_GET[‘i’] : ”;
…snip…
[/sourcecode]
About the Authors:
Brett Hardin and Billy Rios run spotthevuln.com, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting http://spotthevuln.com/about-spot-the-vuln/

Published by

Billy Rios

Billy currently works for Google, a small technology company headquartered in Mountain. Before Google, Billy was a Security Program Manager at Microsoft where he helped secure several high profile software projects including Internet Explorer. Prior to his roles at Google and Microsoft, Billy was a penetration tester, testing the defenses of various companies in the Fortune 500. Billy has spoken at numerous security conferences including: Blackhat briefings, Bluehat, RSA and DEFCON. Billy holds a Bachelors degree in Business Administration, Master of Science degree in Information Systems, and a Master of Business Administration.

Leave a Reply

Your email address will not be published. Required fields are marked *