Comment On Personal Personnel Authentication

Lol pudding first post

fist!



The real WTF here is that they use VBScript



The real WTF here is the forum software



This WTF isn't as funny as they used to be



Sincerely, Gene Wirchenko

Alex Papadimoulis:

Else

  session("grantaccess") = "SALES"

  session("showDebug") = "none"

End If

my favourite part =)

Boy, it's almost as if they've never heard of .htaccess files, or the equiv. for IIS (which I believe is point/click "who do I want to see this?")

Anonymous:

Alex Papadimoulis:

Else

  session("grantaccess") = "SALES"

  session("showDebug") = "none"

End If

my favourite part =)

at least it wasnt like this

response.redirect("special.asp?grantaccess=sales&showDebug=none")

Another example of job security through incompetence. If they fire the programmer, they won't be able to hire or fire anybody else. Well, until they hire another programmer.[8-|]

It's security through obscur-- er, no. It's security through phy-- no, not that either.

It's security through....Well, I dunno, really.

This wtf reminds me of the hardcoded TI-83 BASIC program shells so prevalent in highschool. The ones that could be bypassed by pressing the 'ON' button...

Now is the HR person responsible for adding new employees to the code as well as setting up direct deposit, the health plan and the 401k?

they sure are optimistic-they assume these guys will not quit or switch jobs [:D]

No question. This is a "WTF Award Winner of the Day".

Anonymous:

Alex Papadimoulis:

Else

  session("grantaccess") = "SALES"

  session("showDebug") = "none"

End If

my favourite part =)

Heh - perhaps they give so little access to their salespeople that it doesn't matter if they give it out to random people. Or perhaps there were too many users in the sales department, and the author couldn't be bothered adding them all.

Anonymous:

This wtf reminds me of the hardcoded TI-83
BASIC program shells so prevalent in highschool. The ones that could be
bypassed by pressing the 'ON' button...

Oh, I'm sure there are many people reading this forum who were once
very impressed with themselves after adding a password to an 8-bit
BASIC program using plaintext string comparison.

wow... way too many if...elseif's... the obvious solution is to create a new ASP page for each user and just do the following:

 

Response.Redirect UCase(usrID) + ".asp"

Alex Papadimoulis:

ElseIf UCase(Trim(rsGetUserID("JOB_TITLE"))) = "DEVELOPER" Or UCase(usrID) = "LINDAA" Or _
UCase(usrID) = "CAROLK" Or UCase(usrID) = "SUMMERE" Or UCase(usrID) = "SHAUNR" Or _
UCase(usrID) = "JESSIES" Or UCase(usrID) = "SHADAR" Or UCase(usrID) = "MILOS" Or _
UCase(Trim(rsGetUserID("JOB_TITLE"))) = "DATABASE MANAGER" Or _
UCase(Trim(rsGetUserID("JOB TITLE"))) = "DATABASE ADMINISTRATOR" Or _
UCase(Trim(rsGetUserID("JOB_TITLE"))) = "CONTROLLER" Or _
UCase(Trim(rsGetUserID("JOB_TITLE"))) = "ACCOUNTANT" Or _
UCase(Trim(rsGetUserID("JOB_TITLE"))) = "INTERNAL AUDIT MANAGER" Then
'session("ignoretabs") = "yes"
Response.Redirect "Special.asp"

I wonder how rsGetUserID() is implemented - another long series of If .. ElseIf ... statements?



On second thoughts, maybe I don't want to know...

makomk:

Alex Papadimoulis:

ElseIf UCase(Trim(rsGetUserID("JOB_TITLE"))) = "DEVELOPER" Or UCase(usrID) = "LINDAA" Or _ UCase(usrID) = "CAROLK" Or UCase(usrID) = "SUMMERE" Or UCase(usrID) = "SHAUNR" Or _ UCase(usrID) = "JESSIES" Or UCase(usrID) = "SHADAR" Or UCase(usrID) = "MILOS" Or _ UCase(Trim(rsGetUserID("JOB_TITLE"))) = "DATABASE MANAGER" Or _ UCase(Trim(rsGetUserID("JOB TITLE"))) = "DATABASE ADMINISTRATOR" Or _ UCase(Trim(rsGetUserID("JOB_TITLE"))) = "CONTROLLER" Or _ UCase(Trim(rsGetUserID("JOB_TITLE"))) = "ACCOUNTANT" Or _ UCase(Trim(rsGetUserID("JOB_TITLE"))) = "INTERNAL AUDIT MANAGER" Then 'session("ignoretabs") = "yes" Response.Redirect "Special.asp"

I wonder how rsGetUserID() is implemented - another long series of If .. ElseIf ... statements?

On second thoughts, maybe I don't want to know...

In VBScript, using ADO, that is most likely just a recordset.  So rsGetUserID() isn't actually a method call, its more like retrieving a value from a collection. Thats one of the major problems with VB.  You can't tell between arrays (or indexers) and functions (or subs, bleh - cant believe they even distinguish between the two).  What a crappy language.

I find myself being very annoyed by the number of calls to UCase(Trim(rsGetUserID(""))).  Especially considering that VBScript doesn't use short circuit evaluation, that means that this is being called over and over and over and over - no matter what.  If the first item is a match, it still calls it for every single IF evaluation.  Now maybe, just maybe, VBScript is doing some optimization in the interpreter, but I doubt it. Why not make one variable, call the methods once, and then use that for the evaluations?

Am i crazy for thinking this?

I've seen worse, like the Access system that named all of its tables/views/queries after the users that needed them followed by a number.

Anonymous:

The real WTF here is that they use VBScript

Yes...  sort of.  It's ASP - VBScript-like syntax is all it supported.

 

Alex Papadimoulis:

'RONALDT FIX - Needed for Ronald to view KevinS's jobs

ElseIf UCase(usrID) = "RONALDT" then 

  Response.Redirect "ronaldt.asp"

'END RONALDT FIX



'JEREMYP FIX - Needed for Jeremy to view BobC's jobs

'ElseIf UCase(usrID) = "JEREMYP" then 

'  Response.Redirect "jeremyp.asp"

'END JEREMYP FIX

I'm very curious how redirecting to ronaldt.asp will allow Ronald to see KevinS's jobs.  Maybe all ronaldt.asp does is display KevinS's jobs.  Now that would be a WTF.

Anonymous:

they sure are optimistic-they assume these guys will not quit or switch jobs [:D]

No, no, it's much better!  You just require the newbie in the job to change their name to match the id!

OK... wild stab in the dark... I'm guessing some mate of a mate of the
boss was a cheap student coder who naively said 'sure I can do that'.



Bunch of ="JESSIES"

Anonymous:

Alex Papadimoulis:

'RONALDT FIX - Needed for Ronald to view KevinS's jobs

ElseIf UCase(usrID) = "RONALDT" then 

  Response.Redirect "ronaldt.asp"

'END RONALDT FIX



'JEREMYP FIX - Needed for Jeremy to view BobC's jobs

'ElseIf UCase(usrID) = "JEREMYP" then 

'  Response.Redirect "jeremyp.asp"

'END JEREMYP FIX

I'm very curious how redirecting to ronaldt.asp will allow Ronald to see KevinS's jobs.  Maybe all ronaldt.asp does is display KevinS's jobs.  Now that would be a WTF.

 

Yes... yes it does.

GalacticCowboy:

Anonymous:

The real WTF here is that they use VBScript

Yes...  sort of.  It's ASP - VBScript-like syntax is all it supported.

Sorry, not true. ASP is an Active Script Host (see http://msdn.microsoft.com/scripting for more information); by default that means either VBScript or JScript are available to use, but you can easily add support for other languages like, for instance, Perl (see ActivePerl from http://www.activestate.com).

Am I the only one who feels physical pain when reading about such spectacular stupidity?

Anonymous:

Anonymous:

This wtf reminds me of the hardcoded TI-83 BASIC program shells so prevalent in highschool. The ones that could be bypassed by pressing the 'ON' button...

Oh, I'm sure there are many people reading this forum who were once very impressed with themselves after adding a password to an 8-bit BASIC program using plaintext string comparison.

Those of us that were "hardcore" wrote the routine in ASM.

I did once reduce myself to writing a TI-83 menu emulator to fool the teachers into thinking they were really clearing my RAM.  My first ASM app.  Boy could I pull some WTFs out of that code... What is this "stack" you speak of?

I developed this system. It's pretty damn good in my opinion.

Paul Bean

(formerly Paula Bean, I had a sex change operation)

Anonymous:

I developed this system. It's pretty damn good in my opinion.

Paul Bean

(formerly Paula Bean, I had a sex change operation)

I don't believe that you could have done that.  I've seen some of your code, Paul(a), and this goes way beyond your ability.

The right thing to do would be to wrap it up in a proper database. Probably rewriting this function in PL/SQL.

Anonymous:

The right thing to do would be to wrap it up in a proper database. Probably rewriting this function in PL/SQL.

What and then use ODBC through ASP to call it?  yeah, that sounds awesome. Or you could stick it in a COM dll and really cause yourself some pain... ;)

lol  the CAPTCHA word is "enterprise"

Looks pretty typical for a small company with no money.  It probably also did exactly what they wanted it to do.

Am I the only one here who thinks this is not that bad? What is really the big difference between hardcoded usernames and a configuration file, especially for some internal application? Of course it could be done better, a lot better, but it could also be far worse.

Anonymous:

Am I the only one here who thinks this is not that bad? What is really
the big difference between hardcoded usernames and a
configuration file, especially for some internal application? Of course
it could be done better, a lot better, but it could also be far worse.

I don't even want to imagine your "far worse" options ... *shudder* ...



l.

Far worse is easy; Remember those ?admin=true WTFers? :)

merreborn:

Am I the only one who feels physical pain when reading about such spectacular stupidity?

Not at all merreborn......not at all.....

Anonymous:

lol  the CAPTCHA word is "enterprise"

ssshhhhh! the forum bots will hear!

I realise it's not the point here, but what sets my teeth on edge is all this unnecessarily repeated UCase, UCase, UCase rather than upper-casing the appropriate strings once and comparing against those versions throughout the method.

R.Flowers:

Another example of job security through incompetence. If they fire the programmer, they won't be able to hire or fire anybody else. Well, until they hire another programmer.[8-|]

You are almost right - they can fire the programmer, but they cannot stop his paychecks from arriving until they hire another programmer.

This is actually concise code that clearly achieves its intent.  I suspect any alternative solution would introduce new costs, and I'm not sure what the benefits would be.  The WTF in the system is probably that ronaldt.asp and special.asp are needless reimplementations of the default ASP, but since that's not what is actually posted, it's hard to tell.

I'd like to see an alternative solution to this.

 

Anonymous:

Am I the only one here who thinks this is not that bad? What is really the big difference between hardcoded usernames and a configuration file, especially for some internal application? Of course it could be done better, a lot better, but it could also be far worse.

 

Yes you are the only one.

It seems that a lot of people think "Its only an html file. You have to store the information someplace, one file is as good as another. Why not store it in the html file, instead of a config file."

Lets suppose it is an interal app for a small business. And lets suppose for the sake of argument security is pointless, this thing is only implemented for convienience... SO what happens when someone quits or is fired. Who gets to change it?

Do you as the dev want to be bothered with the detail of updating the code in the html every time a person quits or is hired? Do you want some random secratary to be mucking around in your code? Is it going to really kill you to stick this into some sort of database (whether it is a real database or just a simple config file doesn't really matter)

Anonymous:

This is actually concise code that clearly achieves its intent.  I suspect any alternative solution would introduce new costs, and I'm not sure what the benefits would be.  The WTF in the system is probably that ronaldt.asp and special.asp are needless reimplementations of the default ASP, but since that's not what is actually posted, it's hard to tell.

Concise?  Hardly.

Look, the optimist in me hopes you're joking, but my inner pessimist insist on responding anyway.  If you don't see what's wrong with this, get as far from the software business as you possibly can.  You are a danger to yourself and others.

I am beyond tired of working with folks who "can't see the benefit" of good design and maintainable code.  When it's time to do the Hard Work of making code maintainable, they just can't see how the easy way would ever be a problem; yet then when it's time to maintain the code, they're the first ones moaning about how hard it would be to change this or fix that; but of course, the problem isn't the code, so it must be these unreasonable new requirements!

WTF!

 

I want to know why they are sometimes checking usrId and other times checking session("UID").

And what's JEREMYP done to get his access removed?

In any case the UCase(Trim(rsGetUserID("JOB_TITLE"))) and UCase(usrId) called a gazillion times each are a WTF even if nothing else is.

In my experience these types of WTFs are usually caused by managers who would rather do 37 "quick" fixes than commit to doing a bit more work upfront and fixing it once and for all.

woodle:

And what's JEREMYP done to get his access removed?

That's the guy that submitted the code here. They found out.

I think you're missing his point. There are some things that are just
small enough, and one-offs and such, where all the ideas about
maintainability and extensibility are really inappropriate. Now, before
this ridiculous statement sets your teeth on edge, let me offer some
support:

I've been coding for about 10 yrs professionally, I'm at least good
enough to appreciate elegant code and good architecture, patterns,
agile methods, etc.etc, and I still think
that sometimes we all swallow the "extensible framework" kool-aid a bit
too much. I've been on lots of large projects that are orders of
magnitude more complicated than they need to be (not bad, mind you,
well written, but following all the latest rules about how to make your
apps extensible), mostly because they were designed the way they were
"supposed to be". Some things really are a one-off, and building an
n-tier system for something that 2 people are going to use internally
is probably not a good idea most of the time.

Now, the thing about this WTF is that it reminds me of a job I had a
long, long, long time ago. I wasn't really coding back then, but I
worked in tech support for a small (about 100 people ) firm that had
lots of small databases that had been thrown together for people in
Filemaker 3, whose (incredibly minimal) maintenance and extension I
inherited. Anyway, there were lots of things thrown up for the use of 2
or 3 people, and they served the business needs. Passwords were (if I
remember correctly) encoded directly into the db,  which also
worked fine at the time, although obviosly not terribly scalable.
Something like the WTF actually has a few benefits in this environment:

-all the  passwords are in one place.

-yes, you have to "recode" if someone leaves, but it's really not much
more work than changing their password, which you have to do anyway.

-it works

inotherwords, it's fine as a one-off hack. Obviously this equation
changes if it actually needs to be really secure, or if it has to exist
on a bigger scale. But there's a place for this sort of thing.



Of course, it's also atrociously written, but definately not as WTF as some of the giants of the past.

Wouldn't something like this be easier? (yes, still on the quick-n-dirty approach)

//pseudo code

managers = Array("user1", "user2", "user?");

users = Array("user5", "user6", "user?");

if(member(managers)){

  //give cool security access

} else if(member(users)){

  //give minimal access

} else {

  //denied...

}

It is far from perfect... but surely significantly cleaner without building the taj mahal.

Anonymous:

I think you're missing his point. There are some things that are just small enough, and one-offs and such, where all the ideas about maintainability and extensibility are really inappropriate. Now, before this ridiculous statement sets your teeth on edge, let me offer some support....

OK....  hard coding plain text paswords in to anything is like keeping a spare key to your house in one of those little fake rocks 2 metres from the front door. If somebody wants in enough - they have instant access. Now, I understand that not everything is worth the effort of hashing passwords (ie the odd pdf), HOWEVER........surely a 'quick and dirty' authentication system is something most coders should have lying about in a code lib somewhere, ready for when somebody says "Hey! Let's do some sorta q&d auth'ing." A simple (working) auth UI/backend isnt something I would consider a 'one-off'.

 So therefore, wouldnt it be worth the effort of dreaming up something a little bit more inventive than hard coded plain text passes ready for those rainy days? Surely this guys time would have been better spent learning some simple sec tech before embarking on a hack and potentially would have spent a similar amount of time creating something that actually worked for the most part, instead of coming up with utter rubbish.

---

A stitch in time saves nine hundred lines

Anonymous:

I think you're missing his point. There are some things that are just
small enough, and one-offs and such, where all the ideas about
maintainability and extensibility are really inappropriate. Now, before
this ridiculous statement sets your teeth on edge, let me offer some
support:

I've been coding for about 10 yrs professionally, I'm at least good
enough to appreciate elegant code and good architecture, patterns,
agile methods, etc.etc, and I still think
that sometimes we all swallow the "extensible framework" kool-aid a bit
too much. I've been on lots of large projects that are orders of
magnitude more complicated than they need to be (not bad, mind you,
well written, but following all the latest rules about how to make your
apps extensible), mostly because they were designed the way they were
"supposed to be". Some things really are a one-off, and building an
n-tier system for something that 2 people are going to use internally
is probably not a good idea most of the time.

Now, the thing about this WTF is that it reminds me of a job I had a
long, long, long time ago. I wasn't really coding back then, but I
worked in tech support for a small (about 100 people ) firm that had
lots of small databases that had been thrown together for people in
Filemaker 3, whose (incredibly minimal) maintenance and extension I
inherited. Anyway, there were lots of things thrown up for the use of 2
or 3 people, and they served the business needs. Passwords were (if I
remember correctly) encoded directly into the db,  which also
worked fine at the time, although obviosly not terribly scalable.
Something like the WTF actually has a few benefits in this environment:

-all the  passwords are in one place.

-yes, you have to "recode" if someone leaves, but it's really not much
more work than changing their password, which you have to do anyway.

-it works

inotherwords, it's fine as a one-off hack. Obviously this equation
changes if it actually needs to be really secure, or if it has to exist
on a bigger scale. But there's a place for this sort of thing.



Of course, it's also atrociously written, but definately not as WTF as some of the giants of the past.

Steve, first you say it's "concise" and "clearly acheives its intent", then you say it's atrocious.

I'm guessing you are a self-taught coder who learn the skills after many years in the IT industry. I'm also guessing you're surrounded by a bunch of bad-to-mediocre programmers who toss the buzzwords around but are unable to accomplish anything.

We are not talking about extensible frameworks or n-tier architectures here. It's a matter of fundamental programming principles.

Firstly, the code exhibits all signs of being tossed together as the need arises rather than showing any thought whatsoever. It is not a one-of, since the commented-out code shows that it has been modified at least once, so maintainability is definitely an issue. Furthermore, it's not just unoptimized, it's practically anti-optimized. Some have already pointed out the ucase() optimization. Others have also shown how you can do away with multiple if statements by using a simple look up.

Secondly is the abstraction of data and function. You seem to be saying that a database is too heavyweight for this, and I do agree with you on that. I'm also against reinventing the wheel. But having a separate entity isn't the only way to abstract parts of a system. A simple array to provide a lookup table isn't too heavy weight. It's also easier to maintain (even the secretary can do it) and far less error prone.

This site is littered with examples which "just work" but that's not the point. Software engineering is about obtaining a high quality product that can last. Just because some kludge works now doesn't mean it can work in the future.

Anonymous:

Anonymous:

Anonymous:

This wtf reminds me of the hardcoded TI-83 BASIC program shells so prevalent in highschool. The ones that could be bypassed by pressing the 'ON' button...

Oh, I'm sure there are many people reading this forum who were once very impressed with themselves after adding a password to an 8-bit BASIC program using plaintext string comparison.

Those of us that were "hardcore" wrote the routine in ASM.

I did once reduce myself to writing a TI-83 menu emulator to fool the teachers into thinking they were really clearing my RAM.  My first ASM app.  Boy could I pull some WTFs out of that code... What is this "stack" you speak of?

 

our system at school stored the passwords for everything in a text file (called passwords.cfg of something), so all i had to do was fire up the text editing app and open the file, which gave me hours of fun, controlling peoples computers etc, until of course i noticed the teacher standing behind me while i was looking at his inbox [:|]

Wonder what system that was, was some dossie sort of system.

GalacticCowboy:

Anonymous:

The real WTF here is that they use VBScript

Yes...  sort of.  It's ASP - VBScript-like syntax is all it supported.

 

I'm not sure if someone else has already pointed out that you don't know what you're talking about. But just in case they haven't: you don't know what you're talking about. 

Classic "ASP" is just a thin framework/library. It's 5 objects can be implemented in a number of languages, including VBScript--the most common--but also JScript, TCL, etc.

You could rewrite that exact code in JScript almost line for line. ASP is not a language. It does not support any syntax.

The real WTF as far as I can see, is if "ronaldt" sees his personal URL, gets curious, and tries out "jeremyp.asp". Though commented out, I bet you twice the salary-alexp-deserves that jeremyp.asp still resides on the server.