Taking over the maintenance of a web application can be a bit scary. Depending on its age and size, there's a good chance that it lives in a developmestuction environment, has no known documentation, and was built with an amalgamation of technology ranging from custom C++ CGI engines to the latest and "greatest" AJAX toolkit.
Fortunately, the web application that Chady was inheriting looked like it was in pretty decent shape. A quick sign on to the administration section revealed that each page request seemed to have its own 256-byte security key attached to the query string – impressive! Well, that is until he dug into the code.
Each of the administrative section’s PHP files start with the following code …
<?php if ($_GET['randomId'] != "L5GYg44_7J3cBPbdqmGvWkRnurfb9ka2orfzE9JIHaO" . "jRSEIvLj7nuw3bSLGets1al9dWkp6fOVHNyX0ZzDJ19" . "t5XFaqYUVfFLl3fb0_MxG5eHuiDjcg9Z4xwYU8bCjN0" . "7FIPHAKUnMtgZw35dhBfZXC4gn7dAIGPavG2eRnxj2L" . "yeThT7wHVFprNnYLZaJFEif3vaJhWTKAxcXBr3K9lQk" . "c9tOTXpDzMYSVEEUgiPBJsrZJO5bt_urzntaAsmNE"){ echo "Access Denied"; exit(); } ?>
… with the “random ID” changing from codefile to codefile. And, of course, these "random IDs" are used within hyperlinks on dozens and dozens of admin page.