Comment On Ph33r my 5k1llz!

Swordfish was definitely WTF, great reference.

scary stuff

Got to love people that think javascript is an effective security. And people that think the presence of a cookie (or any non-signed/hashed value for cookie) is a secure authentication mechanism.

Now put them together....

The cookie value must be undefined or "No" in order for someone to have admin privileges.

I'm assuming this is a typo as the code denies the user admin privilages.

Best security system... ever! :)

I see this regularly. Very bad.

Shouldn't the text be as following?

The cookie value must be undefined or "No" in order for someone not to have admin privileges.

I guess it's hard with all the negative words ;)

"Fidelo"
But what is the house password?

CAPTCHA: pinball. Yay!

John Doe:

Shouldn't the text be as following?

The cookie value must be undefined or "No" in order for someone not to have admin privileges.

I guess it's hard with all the negative words ;)

I'm not a Cold Fusion developer, but that's how I read it. If the cookie value is "No" or if the cookie doesn't exist, you're kicked out to the index.cfm page. Otherwise, you're allowed to stay in the, presumably, sensitive page. That actually makes sense. However, Jake's other comments (any other cookie value, Javascript turned off, etc.) are spot on. It's pretty weak security.

This one's even better:

<INPUT TYPE="hidden" NAME="list_admin" VALUE="F">

It does exactly what you think it does. Even worse, this was software that was internet-accessible.

http://seclists.org/bugtraq/2000/Aug/0200.html

Tja, this is just black-listing people:

"The cookie value must be undefined or "No" in order for someone to [NOT TO] have admin privileges"

Everybody who is not on the blacklist can log on. Great! Given that you can edit a cookie in Notepad or that you could use a browser that is not capable of JavaScript... Aye!

BTW: I would use an include as well. Why not?

CAPTCHA: atari Finally a computer that with no Windows or UNIX-flavour

WTF? This depends wether or not this app is ran on intranet... if it is ran on intranet then it is highly unlikely that a non IT employee would have the wits to do this-- and if so I'd be F**king happy, at least they won't need help with their printer. Also, grounds for dismisal.

deployed on internet- then yeah, WTF.

Why use Coldfusion for... well... anything?!

(spent 1.5 years doing CF development... PAINFUL)

Cloak:

BTW: I would use an include as well. Why not?

Probably in this case there's no reason not to. If the contents of "../../include_admin_security.cfm" are not needed on every page and don't return any values (like in this case) a cfinclude is a good way to go.

Yes, an application.cfm would be better for this sort of thing, and an application.cfc would be more robust, but I doubt that was a major concern here.

The real WTF is that someone would willingly use Cold Fusion.

grounds for dismissal? Even if it is on intranet, with such lax security, any employee who can google what a cookie is can get access to admin pages, which, depending on the company/page, might be very valuable company secrets. Firing someone isn't going to stop the fact that they already could've sold the company secrets...

very bad design

Also, what's about the fancy "window.open(...,'_self')"? Is this a countermeasure against those ultra-sophisticated hackers that have location.replace() disabled?
I wonder what happens if the user has a popup blocker running...

Vechni:

WTF? This depends wether or not this app is ran on intranet... if it is ran on intranet then it is highly unlikely that a non IT employee would have the wits to do this-- and if so I'd be F**king happy, at least they won't need help with their printer. Also, grounds for dismisal.

deployed on internet- then yeah, WTF.

Yeah, WTF, indeed. Everybody knows the threat comes from inside because here you must be dreaming: "it is highly unlikely that a non IT employee would have the wits to do this"

Maybe they are no IT guys but that makes them sometimes if more dangerous. People who click here and there with no meaning can find quite some backdoors in enterprise systems. And if it's only accessing HR data.

Be warned!

Matt:

Cloak:

BTW: I would use an include as well. Why not?

Probably in this case there's no reason not to. If the contents of "../../include_admin_security.cfm" are not needed on every page and don't return any values (like in this case) a cfinclude is a good way to go.

Yes, an application.cfm would be better for this sort of thing, and an application.cfc would be more robust, but I doubt that was a major concern here.

The <CFSESSION> can only take care of an entire session but not for individual pages. And in CF I have seen sessions die after minutes for no reason even though they were set to expire only after hours.

What tag are you talking about? There is no <cfsession>.

Nonymous:

What tag are you talking about? There is no <cfsession>.

<CFSESSION> is not in the article. Just as in every web application you can use application and session variables to store similar kinds of information. These are defined in the previously mentionnened "application.cfm".
The first time the application is run the <CFAPPLICATION> tag is checked and then every time a user logs on the <CFSESSION> is checked. So, normally this is more logic than using includes.

David C:

Why use Coldfusion for... well... anything?!

(spent 1.5 years doing CF development... PAINFUL)

If you don't have brains, doing any sort of development is painful. CF is the easiest and the best language for web development. Unfortunately, because it's so easy, a lot of dumbasses get into it, and write code like this. If you have half a brain, you can write better, more secure apps in CF multitudes faster then in any other language.

David C:

Why use Coldfusion for... well... anything?!

(spent 1.5 years doing CF development... PAINFUL)

The application I inherited was written entirely in CF with a SQL database backend. After a week of doing tweaks in the code and stabbing myself in the ear repeatedly with a pen, I pushed my boss to let me rewrite it in ASP.

Part of me wishes I'd just left it... then I wouldn't have had to see the DB queries that were 400 lines long, consisting of copy/paste sections with one variable changed per section.

At least it's now a quarter of the size, twice as fast, and doesn't look like a Disey programming language.

-- Seejay

Alcari:

The real WTF is that someone would willingly use Cold Fusion.

The real WTF is that someone who can't even spell ColdFusion thinks he's qualified to comment on it.

seejay:

David C:

Why use Coldfusion for... well... anything?!

(spent 1.5 years doing CF development... PAINFUL)

The application I inherited was written entirely in CF with a SQL database backend. After a week of doing tweaks in the code and stabbing myself in the ear repeatedly with a pen, I pushed my boss to let me rewrite it in ASP.

Part of me wishes I'd just left it... then I wouldn't have had to see the DB queries that were 400 lines long, consisting of copy/paste sections with one variable changed per section.

At least it's now a quarter of the size, twice as fast, and doesn't look like a Disey programming language.

-- Seejay

Although it might be possible to rewrite a BAD CF application in less code in ASP, I would bet that I can rewrite a GOOD ASP application in less code in CF. Just because you're more comfortable in ASP, and don't get CF, doesn't mean CF is a worse language.

Russ:

David C:

Why use Coldfusion for... well... anything?!

(spent 1.5 years doing CF development... PAINFUL)

If you don't have brains, doing any sort of development is painful. CF is the easiest and the best language for web development. Unfortunately, because it's so easy, a lot of dumbasses get into it, and write code like this. If you have half a brain, you can write better, more secure apps in CF multitudes faster then in any other language.

If someone can show me a language that's dumbass-proof, I'd like to see it. .NET certainly isn't. Java isn't. C++ isn't by a long shot, and as an added bonus you can do a lot more damage with C++.

Matt:

Russ:

David C:

Why use Coldfusion for... well... anything?!

(spent 1.5 years doing CF development... PAINFUL)

If you don't have brains, doing any sort of development is painful. CF is the easiest and the best language for web development. Unfortunately, because it's so easy, a lot of dumbasses get into it, and write code like this. If you have half a brain, you can write better, more secure apps in CF multitudes faster then in any other language.

If someone can show me a language that's dumbass-proof, I'd like to see it. .NET certainly isn't. Java isn't. C++ isn't by a long shot, and as an added bonus you can do a lot more damage with C++.

I guess the difference with the other languages is that the bar is set higher. With CF, even dumbasses can be moderately successful and write sort of working applications.

Please tell me you're posting old stories saved up from 10 years ago. Please tell me nobody still does stuff like this anymore. Say it ain't so.

Russ:

seejay:

At least it's now a quarter of the size, twice as fast, and doesn't look like a Disey programming language.

-- Seejay

Although it might be possible to rewrite a BAD CF application in less code in ASP, I would bet that I can rewrite a GOOD ASP application in less code in CF. Just because you're more comfortable in ASP, and don't get CF, doesn't mean CF is a worse language.

Never said that CF didn't have its uses or that it couldn't be used to write good applications in less code. But as a programmer, with a background in standard programming languages, CF is oddly formed and difficult to wrap your head around. Combine it with the fact that there's a lot of simplistic stuff in it to make it "friendly" to monkeys, it tends to make my programmer brain cry out in pain.

I *have* used aspects of CF for my current ASP and ASP.NET applications. My current apps are stored on an internal server, accessible only to people within my department, while the CF servers are accessible by anyone within the company. This set up has given me a lot of flexibility and power for things that I want to do... surveys for clients within the company to do? Set it up on the CF server, send results to the ASP server. Authentication to get into the department only server? Start at the CF server, grab credentials, pass to the internal server to verify and if good, give access. The CF server also has easy access to the mail server, while my internal one gave me headaches. Internal passes information to external, sends email, and responds back that it was successful.

The CF server has been an absolute godsend for some of the things I've needed to do. The language syntax though makes me cringe.

And to add, it's a smart and intelligent programmer that can view the various tools outside of the box and use what's available. CF has its uses and dismissing it outright when your toolbox doesn't always have what you want isn't the smartest thing to do. But some tools aren't always elegant, which is one of the reasons why I dislike CF.

-- Seejay

David C:

Why use Coldfusion for... well... anything?!

(spent 1.5 years doing CF development... PAINFUL)

Been there. Done that. In my experience the CF world is divided between a small number of people that might have some CS or at least IT background, and a vast sea of people who fell back on programming after failing at every other career they tried back in the early 90's.

So, really, just like any other "web page" language.

seejay:

Russ:

seejay:

At least it's now a quarter of the size, twice as fast, and doesn't look like a Disey programming language.

-- Seejay

Although it might be possible to rewrite a BAD CF application in less code in ASP, I would bet that I can rewrite a GOOD ASP application in less code in CF. Just because you're more comfortable in ASP, and don't get CF, doesn't mean CF is a worse language.

Never said that CF didn't have its uses or that it couldn't be used to write good applications in less code. But as a programmer, with a background in standard programming languages, CF is oddly formed and difficult to wrap your head around. Combine it with the fact that there's a lot of simplistic stuff in it to make it "friendly" to monkeys, it tends to make my programmer brain cry out in pain.

I *have* used aspects of CF for my current ASP and ASP.NET applications. My current apps are stored on an internal server, accessible only to people within my department, while the CF servers are accessible by anyone within the company. This set up has given me a lot of flexibility and power for things that I want to do... surveys for clients within the company to do? Set it up on the CF server, send results to the ASP server. Authentication to get into the department only server? Start at the CF server, grab credentials, pass to the internal server to verify and if good, give access. The CF server also has easy access to the mail server, while my internal one gave me headaches. Internal passes information to external, sends email, and responds back that it was successful.

The CF server has been an absolute godsend for some of the things I've needed to do. The language syntax though makes me cringe.

And to add, it's a smart and intelligent programmer that can view the various tools outside of the box and use what's available. CF has its uses and dismissing it outright when your toolbox doesn't always have what you want isn't the smartest thing to do. But some tools aren't always elegant, which is one of the reasons why I dislike CF.

-- Seejay

I have a MS in CS, and I have had no trouble getting used to the syntax, while ASP makes me cringe. CF is so easy, that you can actually memorize 90% of the things you'll use, and won't have to use documentation all the time. CF has CFScript, which is very similar to c++ in syntax. It has CFC's, which are sort of classes, and although they're not real classes, they do their job well. And best of all, if you don't like the CF functions, all of the objects are java objects, and you can find the methods and call them directly (such as the string methods on scalar variables). So, if you don't like the way CF does things, you can just use almost pure java.

Russ:

David C:

Why use Coldfusion for... well... anything?!

(spent 1.5 years doing CF development... PAINFUL)

If you don't have brains, doing any sort of development is painful. CF is the easiest and the best language for web development. Unfortunately, because it's so easy, a lot of dumbasses get into it, and write code like this. If you have half a brain, you can write better, more secure apps in CF multitudes faster then in any other language.

Grails -- Check it out
http://www.grails.org/

Groovy:

Grails -- Check it out
http://www.grails.org/

Let me get this straight.. you're actually using this site to do astro-turf marketing for your favorite framework? This is the kind of comment I expect to see on Youtube, "cute movie... there's lots of hot camgirls at emocamchicks.com".

seejay:

And to add, it's a smart and intelligent programmer that can view the various tools outside of the box and use what's available. CF has its uses and dismissing it outright when your toolbox doesn't always have what you want isn't the smartest thing to do. But some tools aren't always elegant, which is one of the reasons why I dislike CF.
-- Seejay

I agree that the programmer should use the best tool available to him, which is why I will use perl or java, or any other language that might be better for the job at hand. I do not agree that cf is not elegant, I think its a very elegant language, and I would love to be proven wrong. I mean what's more elegant and simple then:

<cfquery name="users" datasource="mydsn">
select userID, userName from users
</cfquery>

<cfoutput query="users">
<a href="/user.cfm?id=#userID#">#userName#</a><br/>
</cfoutput>

Licky Lindsay:

David C:

Why use Coldfusion for... well... anything?!

(spent 1.5 years doing CF development... PAINFUL)

Been there. Done that. In my experience the CF world is divided between a small number of people that might have some CS or at least IT background, and a vast sea of people who fell back on programming after failing at every other career they tried back in the early 90's.

So, really, just like any other "web page" language.

Actually, it's kind of interesting. It seems that the people that are some of the top developers in CF actually don't have a CS background. I think that speaks pretty well for the language -- the fact that people with no formal CS training can build great applications in it.

Licky Lindsay:

Groovy:

Grails -- Check it out
http://www.grails.org/

Let me get this straight.. you're actually using this site to do astro-turf marketing for your favorite framework? This is the kind of comment I expect to see on Youtube, "cute movie... there's lots of hot camgirls at emocamchicks.com".

There are? To bad I can't get emocamchicks.com at work, gotta wait till I get home.

Russ:

Alcari:

The real WTF is that someone would willingly use Cold Fusion.

The real WTF is that someone who can't even spell ColdFusion thinks he's qualified to comment on it.

Well, think about all the other programming languages. C, PHP, SQL, VB... not very hard to spell, are they? A misplaced space here or there is rarely called a spelling error, and in most languages, it is inconsequential (I'll admit, putting it in the middle of a variable name would be a little problematic, but then English is not a strongly typed language)

Russ:

I do not agree that cf is not elegant, I think its a very elegant language, and I would love to be proven wrong. I mean what's more elegant and simple then:

<cfquery name="users" datasource="mydsn">
select userID, userName from users
</cfquery>

<cfoutput query="users">
<a href="/user.cfm?id=#userID#">#userName#</a><br/>
</cfoutput>

Oh, come on, Russ... what's not to love about:

Dim objConn, objRecordset

Set objConn = Server.CreateObject("ADODB.Connection")

Set objRecordset = Server.CreateObject("ADODB.Recordset")



objConn.Open "Provider=sqloledb;Server=HappyServerName;Database=HappyDB;User Id=HappyUser;Password=HappyPeople"

objRecordset.Open "Select userID, userName From users", objConn, 2, 1



While Not objRecordset.EOF

  Response.Write("<a href='/user.asp?id=" & objRecordset("userID") & ">" & objRecordset("userName") & "</a><br/>")

Wend



objRecordset.Close

objConn.Close



Set objRecordset = Nothing

Set objConn = Nothing

I mean really, I think you're just splitting hairs... if you were getting paid by the hour, it'd be Miller time!

This reminds me of the old user id in the query string WTF...

Russ:

If you don't have brains, doing any sort of development is painful. CF is the easiest and the best language for web development. Unfortunately, because it's so easy, a lot of dumbasses get into it, and write code like this. If you have half a brain, you can write better, more secure apps in CF multitudes faster then in any other language.

Hi brainless dumbass,

Sweeping superlatives like that are by definition wrong and just prove your own ignorance.

Russ:

Alcari:

The real WTF is that someone would willingly use Cold Fusion.

The real WTF is that someone who can't even spell ColdFusion thinks he's qualified to comment on it.

Agreed. Any time someone mispells something, I completely discount their opinion!

brazzy:

Russ:

If you don't have brains, doing any sort of development is painful. CF is the easiest and the best language for web development. Unfortunately, because it's so easy, a lot of dumbasses ...

Hi brainless dumbass,

Sweeping superlatives like that are by definition wrong and just prove your own ignorance.

The real WTF is that there are so many contentious readers of this site.

That's Me!:

Russ:

I do not agree that cf is not elegant, I think its a very elegant language, and I would love to be proven wrong. I mean what's more elegant and simple then:

<cfquery name="users" datasource="mydsn">
select userID, userName from users
</cfquery>

<cfoutput query="users">
<a href="/user.cfm?id=#userID#">#userName#</a><br/>
</cfoutput>

Oh, come on, Russ... what's not to love about:

Dim objConn, objRecordset

Set objConn = Server.CreateObject("ADODB.Connection")

Set objRecordset = Server.CreateObject("ADODB.Recordset")



objConn.Open "Provider=sqloledb;Server=HappyServerName;Database=HappyDB;User Id=HappyUser;Password=HappyPeople"

objRecordset.Open "Select userID, userName From users", objConn, 2, 1



While Not objRecordset.EOF

  Response.Write("<a href='/user.asp?id=" & objRecordset("userID") & ">" & objRecordset("userName") & "</a><br/>")

Wend



objRecordset.Close

objConn.Close



Set objRecordset = Nothing

Set objConn = Nothing

I mean really, I think you're just splitting hairs... if you were getting paid by the hour, it'd be Miller time!

I hope you were being sarcastic. The CF code is half the size, a lot easier to read, and the ASP code is wide open for people to forget to close things, and release object memory leading to bugs and memory leaks.

So I guess everyone was too busy bashing CF to bother doing a Google search on "You do not have permissions to view this area"?

...

...

...

Ok, it didn't pull up the offending site, just this blog entry and a few mirrors (fast crawler!). But still, wouldn't that have been fun?

And of course, VB6 rules. :)

Vechni:

WTF? This depends wether or not this app is ran on intranet...

Seriously, it is a WTF either way because you know this clueless coder is using this "security" in other applications. It isn't like like they were lazy because it was "just an intranet application" or something. I mean, how hard would it have been to store the "admin" flag in, say, the session on the server? I don't know about Cold Fusion, but in Ruby on Rails the amount of code is exactly the same. cookies[:is_admin] vs. session[:is_admin].

-matthew

durnurd:

Russ:

Alcari:

The real WTF is that someone would willingly use Cold Fusion.

The real WTF is that someone who can't even spell ColdFusion thinks he's qualified to comment on it.

Well, think about all the other programming languages. C, PHP, SQL, VB... not very hard to spell, are they? A misplaced space here or there is rarely called a spelling error, and in most languages, it is inconsequential (I'll admit, putting it in the middle of a variable name would be a little problematic, but then English is not a strongly typed language)

The point is that ColdFusion has not been called Cold Fusion for many, many years. The name has been changed to prevent people from confusing it with Cold Fusion term in physics. So if you've really used a recent version of ColdFusion, you should know how it's spelled, and if you don't, it means that you probably haven't used the language in many years, and shouldn't be allowed to make comments about it.

I too, have used CF (in the distant past) for a small internal web app backed by Sybase. It wasn't fancy, but it was handy (eg: we already had paid for the licenses and didn't need to go through purchasing), and it did the job.

I think most of us would agree that anyone with decent coding skills and reasonable familiarity with a given tool can do a pretty nice job of building something with that tool.

Likewise, anyone with no brains and even less skills can create something worthy of this site using any tool in any capacity.

Russ:

durnurd:

Russ:

Alcari:

The real WTF is that someone would willingly use Cold Fusion.

The real WTF is that someone who can't even spell ColdFusion thinks he's qualified to comment on it.

Well, think about all the other programming languages. C, PHP, SQL, VB... not very hard to spell, are they? A misplaced space here or there is rarely called a spelling error, and in most languages, it is inconsequential (I'll admit, putting it in the middle of a variable name would be a little problematic, but then English is not a strongly typed language)

The point is that ColdFusion has not been called Cold Fusion for many, many years. The name has been changed to prevent people from confusing it with Cold Fusion term in physics. So if you've really used a recent version of ColdFusion, you should know how it's spelled, and if you don't, it means that you probably haven't used the language in many years, and shouldn't be allowed to make comments about it.

So there are people that would actually confuse <CFxxx> with the physics concept of Cold Fusion? The conversation would need to go something like this:

Physicist:  We need to create a web site to show our work with Cold Fusion

Programmer: We'll do it with ColdFusion

Physicist:  Right, Cold Fusion

Programmer: Um, no, ColdFusion; there's no space

Physicist:  No space for what?

Programmer: ColdFusion

Physicist:  (wtf?)

Russ:

I hope you were being sarcastic. The CF code is half the size, a lot easier to read, and the ASP code is wide open for people to forget to close things, and release object memory leading to bugs and memory leaks.

I was. But to be fair to ASP in VBScript, the ASP code doesn't require a System DSN to be set up (+1), doesn't technically need the Dim statements or the final *.Close or Set statements (it's just good practice). and could be done in 5 lines if you only wanted to return the first record in the db and didn't mind an ugly error if there weren't any records :)

Set objConn = Server.CreateObject("ADODB.Connection")

Set objRecordset = Server.CreateObject("ADODB.Recordset")



objConn.Open "Provider=sqloledb;Server=HappyServerName;Database=HappyDB;User Id=HappyUser;Password=HappyPeople"

objRecordset.Open "Select userID, userName From users", objConn, 2, 1



  Response.Write("<a href='/user.asp?id=" & objRecordset("userID") & ">" & objRecordset("userName") & "</a><br/>")

...

That said, CF can technically do similar in two lines but really, are we going to get our panties in a bunch over an additional half-dozen lines of code?

To respond to the original WTF, my personal opinion would be that an include to handle security (and other common features/functions) would be how I'd go (though I have no CF experience so maybe there's a better way in CF?) so that in itself wouldn't be a harbringer of the evil to come (quite the opposite in my books). But certainly security by inverse-authority is odd (i.e. everyone's a 'yes' unless they're specifically a 'no') if not just plain stupid. That it's implemented in client-side JavaScript is... baffling.

If the OP is reading these (or to others with an opinion), what *would* be the most elegant way to include an admin file (and again, not knowing CF, I'm assuming that ../../include_admin_security.cfm is outside of the webroot)?

codemonkey:

grounds for dismissal? Even if it is on intranet, with such lax security, any employee who can google what a cookie is can get access to admin pages, which, depending on the company/page, might be very valuable company secrets. Firing someone isn't going to stop the fact that they already could've sold the company secrets...

very bad design

Why do people even act like the people who ARE smart enough to fake the cookie would be the people you DON'T have to worry about? That's obviously silly. When I see weak sauce security I go straight at it...just for fun and embarassment of the people involved.

What's the point of security if not to keep technically inclined people out of private areas? If we were only worried about dumbasses, we would just not publish the URL and add a robots.txt telling Google to go away.

This is a WTF is so many ways. The thing is that ColdFusion does have a perfectly functional built in security model. The real kicker for me though is that even if you're going with an idiotic security method, the code should've been much shorter

<cfif Not IsDefined('cookie.admin') or cookie.admin is not 'yes'>
<script language="JavaScript">
alert("You do not have permissions to view this area");
window.open('index.cfm','_self')
</script>
</cfif>