forked from webpwnized/mutillidae
-
Notifications
You must be signed in to change notification settings - Fork 1
/
view-someones-blog.php
executable file
·221 lines (195 loc) · 8.54 KB
/
view-someones-blog.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
<?php
switch ($_SESSION["security-level"]){
case "0": // This code is insecure
// DO NOTHING: This is insecure
$lEnableHTMLControls = FALSE;
$lEncodeOutput = FALSE;
$lTokenizeAllowedMarkup = FALSE;
$lProtectAgainstMethodTampering = FALSE;
break;
case "1": // This code is insecure
// DO NOTHING: This is insecure
$lEnableHTMLControls = TRUE;
$lEncodeOutput = FALSE;
$lTokenizeAllowedMarkup = FALSE;
$lProtectAgainstMethodTampering = FALSE;
break;
case "2":
case "3":
case "4":
case "5": // This code is fairly secure
$lEnableHTMLControls = TRUE;
/*
* NOTE: Input validation is excellent but not enough. The output must be
* encoded per context. For example, if output is placed in HTML,
* then HTML encode it. Blacklisting is a losing proposition. You
* cannot blacklist everything. The business requirements will usually
* require allowing dangerous charaters. In the example here, we can
* validate username but we have to allow special characters in passwords
* least we force weak passwords. We cannot validate the signature hardly
* at all. The business requirements for text fields will demand most
* characters. Output encoding is the answer. Validate what you can, encode it
* all.
*/
// encode the output following OWASP standards
// this will be HTML encoding because we are outputting data into HTML
$lEncodeOutput = TRUE;
/* Business Problem: Sometimes the business requirements define that users
* should be allowed to use some HTML markup. If unneccesary, this is a
* bad idea. Output encoding will naturally kill any users attempt to use HTML
* in their input, which is exactly why we use output encoding.
*
* If the business process allows some HTML, then those HTML items are elevated
* from "mallicious input" to "direct object refernces" (a resource to be enjoyed).
* When we want to restrict a user to using to "direct object refernces" (a
* resource to be enjoyed) responsibly, we use mapping. Mapping allows the user
* to chose from a "system generated" (that's us programmers) set of tokens
* to pick from. We need to assure that the user either chooses one of the tokens
* we offer, or our system rejects the request. To put it bluntly, either the user
* follows the rules, or their output is encoded. Period.
*/
$lTokenizeAllowedMarkup = TRUE;
/* If we are in secure mode, we need to protect against SQLi */
$lProtectAgainstMethodTampering = TRUE;
break;
}// end switch
if ($lEnableHTMLControls) {
$lHTMLControlAttributes='required="required"';
}else{
$lHTMLControlAttributes="";
}// end if
?>
<div class="page-title">View Blogs</div>
<?php include_once (__ROOT__.'/includes/back-button.inc');?>
<?php include_once (__ROOT__.'/includes/hints/hints-menu-wrapper.inc'); ?>
<fieldset>
<legend>View Blog Entries</legend>
<span>
<a href="./index.php?page=add-to-your-blog.php" style=" text-decoration: none;">
<img style="vertical-align: middle;" src="./images/add-icon-32-32.png" />
<span style="font-weight:bold;"> Add To Your Blog</span>
</a>
</span>
<form action="index.php?page=view-someones-blog.php" method="post" enctype="application/x-www-form-urlencoded">
<table>
<tr id="id-bad-blog-entry-tr" style="display: none;">
<td class="error-message">
Validation Error: Please choose blog entries to view
</td>
</tr>
<tr><td></td></tr>
<tr>
<td id="id-blog-form-header-td" class="form-header">Select Author and Click to View Blog</td>
</tr>
<tr><td></td></tr>
<tr>
<td>
<select name="author" id="id_author_select" autofocus="autofocus" <?php echo $lHTMLControlAttributes ?>>
<option value="53241E83-76EC-4920-AD6D-503DD2A6BA68"> Please Choose Author </option>
<option value="6C57C4B5-B341-4539-977B-7ACB9D42985A">Show All</option>
<?php
try {
$lQueryResult = $SQLQueryHandler->getUsernames();
while($row = $lQueryResult->fetch_object()){
if(!$lEncodeOutput){
$lUsername = $row->username;
}else{
$lUsername = $Encoder->encodeForHTML($row->username);
}// end if
echo '<option value="' . $lUsername . '">' . $lUsername . '</option>\n';
}// end while
} catch (Exception $e) {
echo $CustomErrorHandler->FormatError($e, $lQueryString);
}// end try
?>
</select>
<input name="view-someones-blog-php-submit-button" class="button" type="submit" value="View Blog Entries" />
</td>
</tr>
<tr><td></td></tr>
</table>
</form>
</fieldset>
<?php
/* Known Vulnerabilities:
SQL injection, Cross Site Scripting, Cross Site Request Forgery
Known Vulnerable Output: Name, Comment
*/
if(isSet($_POST["view-someones-blog-php-submit-button"])){
try {
/* Note that $MySQLHandler->escapeDangerousCharacters is ok but not the best defense. Stored
* Procedures are a much more powerful defense, run much faster, can be
* trapped in a schema, can run on the database, and can be called from
* any number of web applications. Stored procs are the true anti-pwn.
* There are 3 ways that stored procs can be made vulenrable by developers,
* but they are safe by default. Queries are vulnerable by default.
*/
if($lProtectAgainstMethodTampering){
$lAuthor = $_POST["author"];
}else{
$lAuthor = $_REQUEST["author"];
}// end if
if ($lAuthor == "53241E83-76EC-4920-AD6D-503DD2A6BA68" || strlen($lAuthor) == 0){
echo '<script>document.getElementById("id-bad-blog-entry-tr").style.display="";</script>';
}else{
if ($lAuthor == "6C57C4B5-B341-4539-977B-7ACB9D42985A"){
$lAuthor = "%";
}// end if
$lQueryResult = $SQLQueryHandler->getBlogRecord($lAuthor);
$LogHandler->writeToLog("User viewed blog for {$lAuthor}");
/* Report Header */
echo '<div> </div>';
echo '<table border="1px" width="90%" class="results-table">';
echo '
<tr class="report-header">
<td colspan="4">'.$lQueryResult->num_rows.' Current Blog Entries</td>
</tr>
<tr class="report-header">
<td> </td>
<td>Name</td>
<td>Date</td>
<td>Comment</td>
</tr>';
$lRowNumber = 0;
while($row = $lQueryResult->fetch_object()){
$lRowNumber++;
/* Simple but effective security against XSS. Encode output per context if
* we are in secure-mode.
*/
if(!$lEncodeOutput){
$lBloggerName = $row->blogger_name;
$lDate = $row->date;
$lComment = $row->comment;
}else{
$lBloggerName = $Encoder->encodeForHTML($row->blogger_name);
$lDate = $Encoder->encodeForHTML($row->date);
$lComment = $Encoder->encodeForHTML($row->comment);
}// end if
/* Some dangerous markup allowed. Here we restore the tokenized output.
* Note that using GUIDs as tokens works well because they are
* fairly unique plus they encode to the same value.
* Encoding wont hurt them.
*
* Note: Mutillidae is weird. It has to be broken and unbroken at the same time.
* Here we un-tokenize our output no matter if we are in secure mode or not.
*/
$lComment = str_ireplace(BOLD_STARTING_TAG, '<span style="font-weight:bold;">', $lComment);
$lComment = str_ireplace(BOLD_ENDING_TAG, '</span>', $lComment);
$lComment = str_ireplace(ITALIC_STARTING_TAG, '<span style="font-style: italic;">', $lComment);
$lComment = str_ireplace(ITALIC_ENDING_TAG, '</span>', $lComment);
$lComment = str_ireplace(UNDERLINE_STARTING_TAG, '<span style="border-bottom: 1px solid #000000;">', $lComment);
$lComment = str_ireplace(UNDERLINE_ENDING_TAG, '</span>', $lComment);
echo "<tr>
<td>{$lRowNumber}</td>
<td>{$lBloggerName}</td>
<td>{$lDate}</td>
<td>{$lComment}</td>
</tr>\n";
}//end while $row
echo "</table>";
}// end if ($lAuthor == "53241E83-76EC-4920-AD6D-503DD2A6BA68" || strlen($lAuthor) == 0)
} catch (Exception $e) {
echo $CustomErrorHandler->FormatError($e, $lQueryString);
}// end try
}// end if isSet($_POST["view-someones-blog-php-submit-button"])
?>