Taking over the maintenance of a web application can be a bit scary. Depending on its age and size, there's a good chance that it lives in a developmestuction environment, has no known documentation, and was built with an amalgamation of technology ranging from custom C++ CGI engines to the latest and "greatest" AJAX toolkit.

Fortunately, the web application that Chady was inheriting looked like it was in pretty decent shape. A quick sign on to the administration section revealed that each page request seemed to have its own 256-byte security key attached to the query string – impressive! Well, that is until he dug into the code.

Each of the administrative section’s PHP files start with the following code …

<?php
if ($_GET['randomId'] != "L5GYg44_7J3cBPbdqmGvWkRnurfb9ka2orfzE9JIHaO" .
                         "jRSEIvLj7nuw3bSLGets1al9dWkp6fOVHNyX0ZzDJ19" .
                         "t5XFaqYUVfFLl3fb0_MxG5eHuiDjcg9Z4xwYU8bCjN0" .
                         "7FIPHAKUnMtgZw35dhBfZXC4gn7dAIGPavG2eRnxj2L" .
                         "yeThT7wHVFprNnYLZaJFEif3vaJhWTKAxcXBr3K9lQk" .
                         "c9tOTXpDzMYSVEEUgiPBJsrZJO5bt_urzntaAsmNE"){
  echo "Access Denied";
  exit();
}
?>

… with the “random ID” changing from codefile to codefile. And, of course, these "random IDs" are used within hyperlinks on dozens and dozens of admin page.