Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Marsh Ray (marshextendedsubset.com)
Date: Wed Sep 22 2010 - 11:40:32 CDT
On 09/22/2010 11:17 AM, Tyler Borland wrote:
> Hello Marsh,
> I had found one of the previous holes.
Yep. After having seen that, I figured that people actually would be
interested in bugs in this codebase. So I posted here.
> Don't forget to check out the includes for that file.
That 'getpost_ifset' is pure magic, isn't it? :-)
Between that, the 'posted=1' hidden input, and the near absence of SQL
escaping, I wonder if this code was really made with any security at all
in mind. That's not necessarily wrong, I believe there's a time and a
place for test code and code that assumes its running only on a trusted
LAN (though the query string handling in this case would mean that no
admin on the LAN could safely browse the web either).
The vulnerability arises when that code makes it onto production
systems. Unlike a lot of the deeper and more interesting classes of
bugs, this is one of those things where just a little bit of a formal
development process can go a long way towards prevention.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/