Spot The Bug challenge December 2016. Win the BitCoin!

Intro

At Securify we are hunting down bugs in our clients' code. It is a demanding task, but we enjoy every bit of it! Every year we release a Spot The Bug challenge. Do you think that you can spot the security bug(s) in this code?

The briefing

Seconds before his Tor Server got seized, the admin managed to wipe his bitcoin keys and a bunch of other evidence. Although he got his business up and running again on a new hidden server, the admin freaked out about the bust. He asked his friends to code-review his admin script to identify any possible security defects! The admin is willing to reward the person that will report the most bugs with a bitcoin! Got his own script got him owned?

So your task for this challenge is to find any bugs (big & small) so this admin can better secure his new server.

Rules

Mail your submission or any questions to stb@securify.nl. The deadline for submitting reports is January 1st, 2017. The winner of the challenge/BitCoin, and our detailed write-up will be announced via Twitter @securifybv once all submissions are reviewed.

The Code

You can find the code on Github.

Questions or feedback?