Comment On Apply Yourself ... at WTFU

This is pretty much par for the course for web applications. In my experience insecure, poorly-designed web apps are the rule, not the exception. This doesn't make me scream "WTF!", just roll my eyes.

Alex Papadimoulis:

It turned out that Tom was very skeptical that it could provide the same features that his system did.

Well I do certainly believe it couldn't.

Sadly this kind of "no one will figure it out" mentality is all to common.  You can do everything in your power to protect your identity, but idiots like this will always give your information away freely to anyone with two working brain cells.

Reminds me of Yale's stellar online admissions... that was cracked by Princeton admissions officers who were not technical enough to have an electronic application process themselves.

Anonymous:

This is pretty much par for the course for web applications. In my experience insecure, poorly-designed web apps are the rule, not the exception. This doesn't make me scream "WTF!", just roll my eyes.

I agree 100%

The company I work for purchased a one-man web company a couple years ago. Among the atrocities we found was an online store site that stored plain text credit card numbers in a web accessable directory

Well, if the PDFs were stored in a publicly accessable directory was there anyway to upload them?  Changing one bad grade in your own school's system is one thing.  Changing your entire transcript and polishing the letters of recommendation before the grad admission committee gets a look would be a total coup!

Alex Papadimoulis:

Tom response, "Well, you were only
able to access them because you're familiar with the technical details
of the system. No one else would ever be able to actually figure that
out on their own. But, go ahead and work on those other issues you
found."

I think he isn't aware of the "rest of the world", you know, outside your basement ^_^



I hope his manual process was safer, maybe they did scan his document, shred and archive them ;)

Anonymous:

Sadly this kind of "no one will figure it out" mentality is all to common.  You can do everything in your power to protect your identity, but idiots like this will always give your information away freely to anyone with two working brain cells.

Here in the UK, you can sue idiots like this for giving your information away.

Security through obscurity I say!

I mean honesty, what are the chances they would think to increment 234.pdf

Quit getting your panties in a bunch.

-Tom

Wow, this is such a simple "hack"? (Can you call this a hack)

This guy should be demoted to be under the command of some student.

--doc0tis

Sad, but hardly unexpected.

Tom is probably the guy who be coding all the sql-injection-enabled pages we will see next year here in TDWTF. Or maybe "http://...xxx?admin=no"    Gooooooooooooooo Tom !!!

 

Anonymous:

This is pretty much par for the course for web applications. In my experience insecure, poorly-designed web apps are the rule, not the exception. This doesn't make me scream "WTF!", just roll my eyes.

It would have made me scream WTF until fairly recently but yes, it is awfully common.

OTOH, the fact that it is common doesn't make it any less appalling. If a company wants to screw itself up, that's its own business, but if it's screwing other people like this, I think I'd play it hard:
1) write a memo to the perpetrator, CC his manager, saying I think this design is unacceptable;
2) if still no reaction, contact a newspaper or television program that makes hay with this sort of material (directly, or get a friend to do it).

i am the "TOM" you speak of and i don't appreciate the lies you print

A little boring story

I bet Tom's 10+ years of experience is a bluff to make this story more "wtf-worthy"

Mike Rod

Alex Papadimoulis:

Tom believed that [...] he was The Chosen One, responsible for introducing "his students" into the Real World.

[...]

Tom's famous words: "they pay me a *lot* of money to do this sort of thing; I know what I'm doing."

[...]

Naturally, access to these documents was not restricted in any way.

[...]

Tom response, "No one else would ever be able to actually figure that out on their own."

Introduction to what students will find in the Real World, indeed.

If ONLY this happened decades earlier!  THEN, I could blame tom for creating "child proof" caps!  They take a half second or so to open, sometimes break, and NEVER keep any half way intelligent child out!  But DON'T WORRY....Tom would probably say "But kids can't read until 3rd grade, and will NEVER figure it out!"!  Never mind that both statements are false.

It's a pity.  Jims advice was simple to implement, would require almost no code changes, etc...  He COULD have suggested writting a report program, and having the data sent to the main office, as should have been done in the first place.  Less hassle/work and more security.

Steve

Anonymous:

This is pretty much par for the course for web applications. In my experience insecure, poorly-designed web apps are the rule, not the exception. This doesn't make me scream "WTF!", just roll my eyes.

Side WTF here...what's with the ubiquitous attitude among posters on this forum that their experience is sooooo encompassing that they can make comments like "most blah blah blah sucks" or "almost all blah blah blah is insecure". What egos!

Quite a stretch to assume that your vast experience (sounds a lot like Tom, actually) qualifies you to evaluate what is par for web applications in general. I'm quote confident that your exposure to web applications is but a drop in the bucket of all web applications.

Anyway.

This sounds like exactly the scenario issue I recently approached my managers with. After reading thru specs for a file download area of an application, I realized the same thing. Filenames were completely guessable. I called a meeting, explained it, and I'm happy to say the management "got it", and allowed me the extra time necessary to design it so as to tighten down the security on the files.

And yes, it's a web application.

Having worked for a local university for 5 weeks, I found exactly the same kind of problem with db id's in the url. For an app they wrote that the state required to "prove" that state money was actually spent on the correct items (and thus if lost the university would get no money at all from the state) I found I could easily delete the entire database from the browser. The same app also was accessible from a master login page which passed the username and password in a get url for "single signon".

Needless to say I left quickly...

Anonymous:

Anonymous:

This is pretty much par
for the course for web applications. In my experience insecure,
poorly-designed web apps are the rule, not the exception. This doesn't
make me scream "WTF!", just roll my eyes.

It would have made me scream WTF until fairly recently but yes, it is
awfully common.

Speaking as someone who put up with a team of web "programmers" for much longer than I wish I had, I must agree as well.  It's par for the course.


This seems like an appropriate time to remind people of (or introduce them to) the "Unskilled
and Unaware" paper: 
http://www.apa.org/journals/features/psp7761121.pdf

I think the super simple solution to the argument is to simply look at the log files.  I would make a wager with Tom that you can find at least 10 people that figured out the security hole.  If the same client IP address does an HTTP GET of more than 5 pdfs in the same minute (and that IP does not resolve to a proxy server), then it would be pretty hard to discredit the fact that someone not on development team found the hole.

I have seen this type of hole in dozens of places, including my credit union, who hosted scanned check images using the URL http://mycreditunion.com/checkimage.asp?accountnumber=12345&checknumber=1001.

WTF online: http://www.portabledocuments.co.uk/send.asp?cid=34 (see source)

Im no lawyer, but Im willing to think a simple backdoor such as this has potential for a lawsuit. I winder if it could be seen as violating personal information under FISMA, or perhaps the new law requiring software managers to report potential security breaches to the users who have personal information at stake?

After all, the records hold a wealth of personal information beyond letters of recommendation and GPAs...

Anonymous:

Sad, but hardly unexpected.

Tom is probably the guy who be coding all the sql-injection-enabled pages we will see next year here in TDWTF.

I doubt that. There are so many sql-injection vulnerable web sites, one programmer could never make them all in his entire lifetime.

Est. 19NaN, LOL

Is that new? I must have just seen that for the first time.

Once upon a time in a galaxy far away there was a cell phone company with it's very own WAP-based news service. The name of the galaxy was Hungary, the name of the company is not particularly noteworthy. Anyway, it wasn't a big company, imagine some 500K users or so. Once we happened to copy one of their WAP news links into a plain web browser. It was something like http://wap.wtfgsm.hu
/foo/news/news.jsp?id=12345. It worked as nobody bothered to set the firewalls up to only allow requests coming through their WAP gateway. Big deal.

One of us suggested removing the news.jsp part and surpsisingly we got a directory listing. Interesting, we thought, and proceeded to delete the news/ from the end of our url. Another listing appeared, containing directories "news", "admin" and "src". We explored the admin section, resisted the temptation to post bogus news items or delete all the existing ones. After seeing what we've seen, somehow we were not so eager to steal the source code either.

Well this sure gave me a bit of a scare (before I got to the last paragraph).

I am about to apply to grad school, and they strongly encourage using the electronic application.

Alex Papadimoulis:

Tom response, "Well, you were only
able to access them because you're familiar with the technical details
of the system. No one else would ever be able to actually figure that
out on their own.

I would have gone straight over his head to the Registrar's
office.  If it is was not a good idea for me (in that I'd lose my
job), I'd get one of my friends to report it to the registrar. 
Get ready to jump all over me for this post... wait for it... wait for
it... GO!

I'm a little surprised that the consensus among you US people seem to be that is not uncommon at all in your universities. Is it really that bad? Why?

Here in Norway, the core IT-administration at the universities is usually top-notch. Barring a few bad apples here and there (most usually business-grad types) who make some weird managment decision regarding platforms everything is run by geeks who *know* what they're doing. The level of competence just seem to be ridicilously high.. as it should be, as you have an ample supply of geeks who need part-time jobs, aswell as an ample supply of graduates with girlfriends on campus who really wouldn't mind staying at the university a few more years.

A couple of years back I did some contact work for a UK Fund Manager and looked discovered a huge (DOS-type) hole in their on-line fund management application. All of the account numbers were allocated sequentially, so find out one number and you could deduce them all. This alone wouldn't allow you to access anybody else's account details, but if you tried the account number and got your password wrong 3 times it would lock your account - and you'd have to phone up the "helpdesk" to get it unlocked. So, it doesn't take a rocket scientist to figure out a way to launch a DOS attack on the helpdesk! ;-)

Anonymous:

Here in Norway, the core IT-administration at the universities is
usually top-notch. Barring a few bad apples here and there (most
usually business-grad types) who make some weird managment decision
regarding platforms everything is run by geeks who *know* what they're
doing.  The level of competence just seem to be ridicilously
high..

I call bullsh*it... and forgive me for saying, these statements seem a
little arrogant.  Maybe this is true at your university, but I bet
you a million bucks it is not the norm.

Wouldn't pdf files laying around that get scanned by search engines?

Anonymous:

WTF online: http://www.portabledocuments.co.uk/send.asp?cid=34 (see source)

Or just http://www.portabledocuments.co.uk/send.asp to witness a couple of other things that are about par for the course.

Is this the same 'Tom' I have on my friends list over at MySpace?

captcha: billgates

Anonymous:

Alex Papadimoulis:

Tom response, "Well, you were only able to access them because you're familiar with the technical details of the system. No one else would ever be able to actually figure that out on their own.

I would have gone straight over his head to the Registrar's office.  If it is was not a good idea for me (in that I'd lose my job), I'd get one of my friends to report it to the registrar.  Get ready to jump all over me for this post... wait for it... wait for it... GO!

IMHO, you are correct - I would have done the same!

Raven:

Wouldn't pdf files laying around that get scanned by search engines?

Maybe, maybe not. PDFs created by a flatbed-scanner might be just images, not text, so there is nothing to scan.

Anonymous:

Here in Norway, the core IT-administration at the universities is
usually top-notch. Barring a few bad apples here and there (most
usually business-grad types) who make some weird managment decision
regarding platforms everything is run by geeks who *know* what they're
doing.  The level of competence just seem to be ridicilously
high..

You won't be saying that once WTFU finishes their Oslo and Trondheim campuses.

Anonymous:

Anonymous:

WTF online: http://www.portabledocuments.co.uk/send.asp?cid=34 (see source)

Or just http://www.portabledocuments.co.uk/send.asp to witness a couple of other things that are about par for the course.

jet database error ... wow, some high end database engine they are using!!

Raven:

Wouldn't pdf files laying around that get scanned by search engines?

Even if the pdf files are publicly accessible, the crawlers still need to find their way there. So, unless (until?) they're linked from somewhere else, probably not.

Here is an even bigger wtf:

http://www.portabledocuments.co.uk/download.asp?file=C:/webroot/LocalUser/br4589/Website/send.asp

Please dont drop the table before i can show this to my friend

Anonymous:

Barring a few bad apples here and there (most usually business-grad types) who make some weird managment decision regarding platforms everything is run by geeks who *know* what they're doing.

You obviously wanted to write "geeks who think they know what they're doing". Proper security requires a level of experience that most students did not yet obtain. Being able to write an awk script does not make you a great and adorable h4x0r. And many universities don't bother to hire expensive "pros" when they can have so many computer-savvy students for pocket money.

That said, I hope that the true Toms are rare even among unexperienced youth. I really do.

petvirus:

Here is an even bigger wtf:

http://www.portabledocuments.co.uk/download.asp?file=C:/webroot/LocalUser/br4589/Website/send.asp

Please dont drop the table before i can show this to my friend

Oh, sweet Jesus.

You can download their .mdb file.

Anonymous:

WTF online: http://www.portabledocuments.co.uk/send.asp?cid=34 (see
 source)

> <!--<body onload="KillMe();self.focus()">-->

heh heh. 

petvirus:

Here is an even bigger wtf:

http://www.portabledocuments.co.uk/download.asp?file=C:/webroot/LocalUser/br4589/Website/send.asp

Please dont drop the table before i can show this to my friend

Well, you are only able to access all of their local files because you're familiar with the technical details of the system. No one else would ever be able to actually figure that out on their own.

Aaaaaargh!

Captcha: Paula

Anonymous:

http://mycreditunion.com/checkimage.asp?accountnumber=12345&checknumber=1001.

Amazing, I use the same combination on my luggage!

Hehe, great Spaceballs reference ;)

Anonymous:

Here in Norway, the core IT-administration at the universities is usually top-notch.

How do you know?

In my undergrad work, I prototyped a student enrollment system:

Student Processing, Enrollment and Registration Management System.

Instructor got a chuckle from it.

Waggs

 

I like Tom. Tom is my new role model. When I grow up I want to be just like him.

Yes, really.

@AdamK: It gets better.

http://www.portabledocuments.co.uk/send.asp?cid=NULL%20OR%201=1

You can probably do better.

Anonymous:

Side WTF here...what's with the ubiquitous attitude among posters on this forum that their experience is sooooo encompassing that they can make comments like "most blah blah blah sucks" or "almost all blah blah blah is insecure". What egos!

Quite a stretch to assume that your vast experience (sounds a lot like Tom, actually) qualifies you to evaluate what is par for web applications in general. I'm quote confident that your exposure to web applications is but a drop in the bucket of all web applications.

This is how it is. I'm not being arrogant, just honest. I am not saying that I can authoritatively claim that X% of web apps are poorly written, but what I can say is that of the code I am exposed to, very, very little of it is well-written.

Sites written in PHP tend to be open to all kinds of code injection attacks. SQL injection is common, but even more so are cross-site scripting vulnerabilities--that is, programmers not properly escaping their variables when they output to the page, via htmlentities() or what have you.

In Java or C# I see a lot of crazy threading problems. Awful session abuse. Statefulness where statelessness would work better. The frameworks in these languages tend to hide the underlying HTML/HTTP layer, and I think "enterprise-level" developers are more prone to not understanding what exactly is getting sent back and forth. They'll have huge problems trying to set cookies or get their damn login info to get in their damn session.

People copy and paste JavaScript into their applications. It's pretty safe to say that any JavaScript code examples you find via a Google search are going to be horrible. Unless you get lucky and Dean Edwards's site, for example, pops up. Amateur web programmers will confuse server-side and client-side code, and will do things in JavaScript that really need to be done server-side.

Again, I'm not being arrogant. I think all of this is a consequence of so much web app code being open source or scripted. I think programmers share PHP, Perl, and JavaScript much more readily than, say, C++, simply because it's all very very open and accessible. And it leads to lots of very poor sites showing off insecure code snippets. Plus web programming leads to more of a "hack away until it works" style of development than traditional programming, I suppose because you don't really run the risk of crashing your computer or anything like that.

So yeah, this is very much par for the course. It takes maybe 3 lines of code to take an uploaded file and save it off in a directory. To secure it would require a lot of authentication code, running hundreds of lines, probably some web server configuration, which is always a nightmare, assuming you are even able to do that, and so on. Yes, today's WTF is a big security hole, but it's not shocking at all. That's all I'm saying.