Comment On Real Security

Emmett had been contracted to maintain the curb appeal of The Website of Judy S. Kirkland (#1 Realtor in Townhouse Resales in the Upper Eastern Greater Metro Area, February 2009). [expand full text]
« PrevPage 1 | Page 2 | Page 3Next »

Re: Real Security

2012-10-31 10:51 • by Remy Porter
Obligatory Bobby Tables reference.

Re: Real Security

2012-10-31 10:58 • by Samuele Mattiuzzo (unregistered)
This won't make Judy S. ( 5 time MostFaithful person award ) happy.

Re: Real Security

2012-10-31 10:58 • by Cantabrigian
393824 in reply to 393822
Remy Porter:
Obligatory Bobby Tables reference.


It was already in the article:
Not even showing her The Dreaded Obligatory Cartoon.

Re: Real Security

2012-10-31 10:59 • by Anon Ymous (unregistered)
So you could access the admin page by changing your "Logged" session variable to "ON"?

Re: Real Security

2012-10-31 11:04 • by imgx64 (unregistered)
393826 in reply to 393825
Anon Ymous:
So you could access the admin page by changing your "Logged" session variable to "ON"?


No. Session variables are stored on the server.

Re: Real Security

2012-10-31 11:04 • by Sven (unregistered)
393827 in reply to 393825
Anon Ymous:
So you could access the admin page by changing your "Logged" session variable to "ON"?

Session variables are stored on the server in ASP, all you have on the client is a cookie is the session ID. So you can't change that value.

Re: Real Security

2012-10-31 11:06 • by Steve The Cynic
I'm confused.

Was there an injection vuln or was there not? First it says he found one, then it wasn't there when he went to look. What was it?

Re: Real Security

2012-10-31 11:06 • by JAPH (unregistered)
TRWTF is that the result set of that query isn't used in a meaningful way. Sure, we cycle over every row returned, but in each cycle we compare the user-supplied password to "star" instead of the appropriate table column.

Re: Real Security

2012-10-31 11:08 • by Bobby Tables (unregistered)
393830 in reply to 393828
The code snippet shown was after Emmett fixed the sql injection vulnerability.

Re: Real Security

2012-10-31 11:15 • by Ozz (unregistered)
393831 in reply to 393828
Steve The Cynic:
I'm confused.

Was there an injection vuln or was there not? First it says he found one, then it wasn't there when he went to look. What was it?
Looks like you could log in with any username as long as your password was "star".

Re: Real Security

2012-10-31 11:15 • by Michael (unregistered)
should be "...Or worse? Who would trust their home with someone who used Comic Sans?"

Re: Real Security

2012-10-31 11:18 • by Ross Presser (unregistered)
393833 in reply to 393831
Ozz:
Steve The Cynic:
I'm confused.

Was there an injection vuln or was there not? First it says he found one, then it wasn't there when he went to look. What was it?
Looks like you could log in with any username as long as your password was "star".


Indeed. Even a blank username would work.

There was no injection attack because what was entered in the form was never sent to the SQL server at all. You can't get the heroin in the vein if there's no syringe to use.

Re: Real Security

2012-10-31 11:20 • by Dan F (unregistered)
As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.

Re: Real Security

2012-10-31 11:27 • by Justin R (unregistered)
393836 in reply to 393834
I couldn't agree more with this comment and the OP; They really are like that, shrewd penny pinchers. I make it a business practice to avoid them at all costs.

Re: Real Security

2012-10-31 11:39 • by chubertdev
Huge security upgrade:


If Request("Password") = "correcthorsebatterystar" Then

Re: Real Security

2012-10-31 11:47 • by da Doctah
393839 in reply to 393834
Dan F:
As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
I always chuckle when I think of the colleague who, while moonlighting, set up a Realtor's site with music that plays automatically and can't be shut off (which we'll call WTF #1), and how proud she was that she'd discovered the ideal piece of music for the purpose (which we'll call WTF #2):

Pachelbel's Canon in D.

Re: Real Security

2012-10-31 11:47 • by da Doctah
393840 in reply to 393838
chubertdev:
Huge security upgrade:


If Request("Password") = "correcthorsebatterystar" Then
I believe you don't have my stapler?

Re: Real Security

2012-10-31 11:50 • by Abico (unregistered)
393841 in reply to 393833
Ross Presser:
Ozz:
Steve The Cynic:
I'm confused.

Was there an injection vuln or was there not? First it says he found one, then it wasn't there when he went to look. What was it?
Looks like you could log in with any username as long as your password was "star".


Indeed. Even a blank username would work.

There was no injection attack because what was entered in the form was never sent to the SQL server at all. You can't get the heroin in the vein if there's no syringe to use.

Right. So why does it suggest that' OR 1=1;-- worked?

Re: Real Security

2012-10-31 11:53 • by DCRoss
393842 in reply to 393833
Ross Presser:
There was no injection attack because what was entered in the form was never sent to the SQL server at all. You can't get the heroin in the vein if there's no syringe to use.


That's what's confusing. How did Emmett spot the SQL injection vulnerability on the login page, and how did he log in with the username "' OR 1=1;--"?

(Edit: Yeah, what he said.)

Re: Real Security

2012-10-31 11:57 • by Techpaul (unregistered)
393843 in reply to 393842
DCRoss:
Ross Presser:
There was no injection attack because what was entered in the form was never sent to the SQL server at all. You can't get the heroin in the vein if there's no syringe to use.


That's what's confusing. How did Emmett spot the SQL injection vulnerability on the login page, and how did he log in with the username "' OR 1=1;--"?

(Edit: Yeah, what he said.)


Because he used that as the USERNAME, and in fact ANY username including blank would work as long as the password was 'star'.

Re: Real Security

2012-10-31 11:57 • by Stev (unregistered)
Yeah I'm sure this WTF is plainly obvious to most web developers out there but us mere mortals haven't a clue what's actually happening - an SQL injection, or a hardcoded password?

Re: Real Security

2012-10-31 11:59 • by Remy Porter
393845 in reply to 393824
Yes, but it's still going to show up six more times in the thread.

Re: Real Security

2012-10-31 12:01 • by JC (unregistered)
For the people who still don't get this:

The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.

Re: Real Security

2012-10-31 12:02 • by Ozz (unregistered)
393847 in reply to 393844
Stev:
Yeah I'm sure this WTF is plainly obvious to most web developers out there but us mere mortals haven't a clue what's actually happening - an SQL injection, or a hardcoded password?
There is no SQL injection vulnerability - at least, not in teh codez as shown.

Re: Real Security

2012-10-31 12:03 • by JC (unregistered)
393848 in reply to 393846
JC:
For the people who still don't get this:

The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.


Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.

Re: Real Security

2012-10-31 12:07 • by Stev (unregistered)
393849 in reply to 393847
Ozz:
Stev:
Yeah I'm sure this WTF is plainly obvious to most web developers out there but us mere mortals haven't a clue what's actually happening - an SQL injection, or a hardcoded password?
There is no SQL injection vulnerability - at least, not in teh codez as shown.


Exactly. So why did the "proof of concept" work?

Re: Real Security

2012-10-31 12:07 • by Alexander Harris (unregistered)
393850 in reply to 393848
JC:
JC:
For the people who still don't get this:

The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.


Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.


The password field must have been already filled in (saved?) from a previous login?

Re: Real Security

2012-10-31 12:11 • by Andrew (unregistered)
TRWTF is Notepad, amirite?

Re: Real Security

2012-10-31 12:12 • by Stev (unregistered)
So basically, TRWF is TDWTF.

Re: Real Security

2012-10-31 12:12 • by AnonymouseUser (unregistered)
If it's a real estate web site why does someone need to log in?

Re: Real Security

2012-10-31 12:14 • by foo (unregistered)
393854 in reply to 393850
Alexander Harris:
JC:
JC:
For the people who still don't get this:

The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.


Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.


The password field must have been already filled in (saved?) from a previous login?
I think the explanation is quite simple: Too much creative writing going on (ETDWTF). If we get the original story, it will probably make sense.

Re: Real Security

2012-10-31 12:15 • by JC (unregistered)
393855 in reply to 393853
AnonymouseUser:
If it's a real estate web site why does someone need to log in?


Maybe clients can log in to see status of their sale/purchase

Maybe Landlords can log in to see references gathered from prospective tenants.

Maybe the business owner can log in to update the content of their "news" section.

Why the fuck does it matter?

Re: Real Security

2012-10-31 12:15 • by C-Derb (unregistered)
393856 in reply to 393848
JC:
JC:
For the people who still don't get this:

The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.


Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.
Close, but not quite. He is enumerating the records, but is only checking if the form variable "Password" is equal to the value "star" every time through the loop.

As stated by someone else, he used " or 1=1--" as the username, but must have used "star" as the password.

Many WTFs going on here, but there is no injection vulnerability because none of the user input is sent to the SQL Server.

Re: Real Security

2012-10-31 12:18 • by Andrew (unregistered)
Okay, since no one seems to get it: The login code just loops through the account info stored in the database, and compares the stored passwords to the string "star". Since one of the entries presumably has that password, it'll always log you in. It literally does not matter what the user enters.

Re: Real Security

2012-10-31 12:19 • by foo (unregistered)
393858 in reply to 393839
da Doctah:
Dan F:
As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
I always chuckle when I think of the colleague who, while moonlighting, set up a Realtor's site with music that plays automatically and can't be shut off (which we'll call WTF #1), and how proud she was that she'd discovered the ideal piece of music for the purpose (which we'll call WTF #2):

Pachelbel's Canon in D.

For some distraction from Bobby Tables, the obligatory Pachelbel reference: http://www.youtube.com/watch?v=JdxkVQy7QLM

Blah blah blah, Akismet, blah blah blah, no spam, blah blah blah, see you in hell, blah blah blah ...

Re: Real Security

2012-10-31 12:19 • by Andrew (unregistered)
393859 in reply to 393857
Nevermind, I misread the code. C-Derb is correct. "' OR 1=1; --" could not have worked without a password.

Re: Real Security

2012-10-31 12:20 • by Abico (unregistered)
393860 in reply to 393856
C-Derb:
JC:
JC:
For the people who still don't get this:

The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.


Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.
Close, but not quite. He is enumerating the records, but is only checking if the form variable "Password" is equal to the value "star" every time through the loop.

As stated by someone else, he used " or 1=1--" as the username, but must have used "star" as the password.

But why would he do that? Especially if he was attempting to demonstrate the injection vulnerability.

Re: Real Security

2012-10-31 12:21 • by Abico (unregistered)
393861 in reply to 393857
Andrew:
Okay, since no one seems to get it: The login code just loops through the account info stored in the database, and compares the stored passwords to the string "star". Since one of the entries presumably has that password, it'll always log you in. It literally does not matter what the user enters.

No. It checks the password from Request, not from rs.

Re: Real Security

2012-10-31 12:22 • by AnonymouseUser (unregistered)
393862 in reply to 393855
It matters because that's the first thing any developer should ask. I don't recall ANY real estate sites where there was a login section, anything other than viewing was done over the phone.

Re: Real Security

2012-10-31 12:23 • by Sea Sharp, Waves Hurt (unregistered)
If we are to assume any kind of aptitude on the part of the submitter, we must assume that the code show is, as was said once above, what the original code was replaced with. One could imagine that the original code might've been something like this:

SQL = "SELECT realtor_id, login, password FROM [Realtors] WHERE login = " & Request("Login") & " AND password = " & Request("Password")

Set rs = Conn.Execute(SQL)
If Not rs.EOF Then
Session("Logged") = "ON"
Response.Redirect "realtor_home.asp"
End If
I can only imagine that it's possible that obfuscation might've screwed up the actual code and "star" should've been rs("password) ... but, I can't say that for sure. Also, the indentation in the code in the article is all borked.

Re: Real Security

2012-10-31 12:26 • by JC (unregistered)
393864 in reply to 393862
AnonymouseUser:
It matters because that's the first thing any developer should ask. I don't recall ANY real estate sites where there was a login section, anything other than viewing was done over the phone.


Literally the first large "real estate" firm I thought of in my country:

http://www.bairstoweves.co.uk/ - check the top left corner.

Re: Real Security

2012-10-31 12:29 • by Alan (unregistered)
393865 in reply to 393844
Stev:
Yeah I'm sure this WTF is plainly obvious to most web developers out there but us mere mortals haven't a clue what's actually happening - an SQL injection, or a hardcoded password?


As a web developer and database person, it still took me a sec. I think that the "example" in the story above doesn't have much to do with the code (somehow??). What the code boils down to is a hard coded password... of course that assumes you have any users in the database (if no users, then it'll never check the hard coded password).

It is correct however that since the SQL statement is hard coded, it's not vulnerable to SQL injection from user input. What other people suggest (user set to "' OR 1 = 1;--" and password set to "star") is probably what actually happened on the "injection test"

Re: Real Security

2012-10-31 12:30 • by Maurits
TRWTF is the unnecessary brackets around [Realtors]; amirite?

Re: Real Security

2012-10-31 12:31 • by Alan (unregistered)
393867 in reply to 393862
AnonymouseUser:
It matters because that's the first thing any developer should ask. I don't recall ANY real estate sites where there was a login section, anything other than viewing was done over the phone.


It depends. I know a Realtor who has 14 other Realtors in his office and they can log into their site to get some information. Since she wasn't able to update her own site, however, I'm not sure what she was doing logging in.

Re: Real Security

2012-10-31 12:41 • by ¯\(°_o)/¯ I DUNNO LOL (unregistered)
393868 in reply to 393831
Ozz:
Steve The Cynic:
I'm confused.

Was there an injection vuln or was there not? First it says he found one, then it wasn't there when he went to look. What was it?
Looks like you could log in with any username as long as your password was "star".
And it's a good thing, otherwise the server would get stuck in an infinite loop, because "RS.MoveNext" was outside the loop.

Or that's what I thought until I looked at it again and noticed that the "End If" and "Loop" indents didn't match the start of their blocks. TRWTF is programmers who can't indent properly.

Re: Real Security

2012-10-31 12:42 • by Nagesh
This story can be made more colorful, by introduction of more element like hacking, property buying and selling and eventual housing market crash in America.

All possible due to Judy.

Re: Real Security

2012-10-31 12:59 • by ChefJoe (unregistered)
393873 in reply to 393839
da Doctah:
Dan F:
As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
I always chuckle when I think of the colleague who, while moonlighting, set up a Realtor's site with music that plays automatically and can't be shut off (which we'll call WTF #1), and how proud she was that she'd discovered the ideal piece of music for the purpose (which we'll call WTF #2):

Pachelbel's Canon in D.


In MIDI I hope. I prefer to listen to all my music in MIDI so I know that the notes are exactly the ones the artist intended.

Re: Real Security

2012-10-31 12:59 • by Mason Wheeler
393874 in reply to 393858
foo:
da Doctah:
Dan F:
As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
I always chuckle when I think of the colleague who, while moonlighting, set up a Realtor's site with music that plays automatically and can't be shut off (which we'll call WTF #1), and how proud she was that she'd discovered the ideal piece of music for the purpose (which we'll call WTF #2):

Pachelbel's Canon in D.

For some distraction from Bobby Tables, the obligatory Pachelbel reference: http://www.youtube.com/watch?v=JdxkVQy7QLM

Blah blah blah, Akismet, blah blah blah, no spam, blah blah blah, see you in hell, blah blah blah ...


Funny seeing that on here. Just this morning I was watching the Four Chords Song, which covers the same basic theme.

Re: Real Security

2012-10-31 13:04 • by Lorne Kates
393875 in reply to 393868
Or that's what I thought until I looked at it again and noticed that the "End If" and "Loop" indents didn't match the start of their blocks. TRWTF is programmers who can't indent properly.


In this one thing, the original programmer is blameless. That's all me. Indenting in a WYSIWYG is hard.

Re: Real Security

2012-10-31 13:05 • by Lorne Kates
393876 in reply to 393850
The password field must have been already filled in (saved?) from a previous login?


Correct.
« PrevPage 1 | Page 2 | Page 3Next »

Add Comment