Security research, news and guidance

Can you find the vulnerabilities(2010)?

September 10, 2010  |  Written by Security Ninja  |   Application Security, Hacking   |   Leave a comment

Hi everyone,

It has been almost a year since the last “can you find the vulnerabilities” post so I thought it was time for another one.

This year I’m taking a slightly different approach. The post in 2009 gave you a small piece of source code to review and you needed to find the vulnerability. This year I’m going to give you the application name, the vulnerability type/name and all of the source code for the application.

You can obviously cheat and just Google “application name and vulnerability type/name” and get the answer but where is the fun in that?

Before I start I have to give credit to the Exploit Database for hosting vulnerable versions of applications. The open source applications I’m using for this post have come from advisories posted on the Exploit Database website.

I have selected five applications with five different vulnerabilities. Four of the applications are web applications written in PHP and the fifth one is a Linux application written in C++.

I have listed the applications below along with a download link for the vulnerable version of the application:

Killmonster – SQL Injection

Killmonster Download

mBlogger – Stored Cross Site Scripting

mBlogger Download

sFileManager – Local File Inclusion

sFileManager Download

Apache JackRabbit – XPath Injection

JackRabbit Download

Printoxx – Local Buffer Overflow

Printoxx Download

I think the first application in the list has the easiest vulnerability to find through to the local buffer overflow potentially being the most difficult to find.

I hope you enjoy the challenge of trying to find all of the vulnerabilities in these applications. I know that at least one of the applications I’ve included in this challenge has more than one vulnerability in it so see if you can find them all.

I would be happy to receive emails (securityninja at realexpayments dot com) from anyone who thinks they have found the vulnerabilities in all five applications, please don’t give the answers away in the blog comments as that might spoil the challenge for others.

I will post the answers next week, have fun!

SN

This entry was posted on September 10, 2010 at 1:40 pm and is filed under Application Security, Hacking . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a comment

VIDEOS & SLIDESHARES

Look at our latest security Videos & SlideShares

EVENTS & SEMINARS

Upcoming Security Events & Seminars

PODCASTS & DOWNLOADS

Check out our Podcasts & White Papers