| « Prev | Page 1 | Page 2 | Next » |
|
You gotta have all your bases covered. What happens when 90210 no longer has a length of five? Then you're screwed!
What I really don't get is: var pass = dataform.pass.value; |
I can see the code being just the portion (if pass==9002) {} and then a junior developer being requested to add most specific error messages such as "Password Required" and "Incorrect Password"... hence copy+paste without understanding |
Hurray. You're the first poster to the thread. What do you get? Oh that's right, absolutely nothing. |
|
|
|
I'm just surprised the password wasn't "13373"
|
If pass = 90210??? looks like an assignment rather than a comparison to me! |
|
I've got it. They forgot this code:
if (pass != 90210) { |
|
Yeah, that's a popular password here...but hopefully this validation is not quite so popular...
|
So after all that checking, it then returns true anyway. Oldest mistake in the book! |
And that explains the code. Some newbie couldn't figure out why it always let people in, even with the wrong password. So they added all the "wrong" conditions rather than figuring out how to type an extra "=". Time to raise the old "paid by the line" argument again? |
No it doesn't because of the checks before. My guess is that the "developer" didn't spot this error, and was puzzled why access was granted when he wanted to deny. So, he started adding the checks in the start, until it finally worked. |
|
Not quite. It has to pass through the oh-so-intimidating gauntlet of not being less than or greater to 90210, and having a length of 5. It does do an assignment, but it has to be 90210 by that point anyway.
|
|
The tradegy here is that this is Javascript. Shaun didn't read the source for the answer, he literally did View -> Page Source to get the password.
I'm also guessing this was maybe an ASP developer as the solution seems pretty straight forward if you don't know you can use != or == |
|
They forgot: if (pass == "Password" ) { |
|
I saw somebody get into this page with a password of ***** (they didn't know I was watching, ha ha)
|
|
A real consultant would write the code the following way (for job security):
if pass == 0 return false if pass == 1 return false . . if pass == 90210 return true if pass == 90211 return false if pass == 90212 return false . . to infinity. |
|
not being a javascript guru myself I'm assuming that the line if (pass > 40017) will generate an error if the user entered in a five digit alpha string, as it would try and convert the string to an integer to compare against the value of 40017?
|
|
According to bad 80's computer-related movies, all I have to do is type "override password" to get around such high-level security measures.
|
|
I'm not a javascript guru either, but I like your suggestion better than most others posted.
My initial thought was that it would prevent the hexadecimal or octal formats of the number ("9C51" or "116 121") from being accepted as valid... But odds are good either javacript doesn't offer that type of auto-conversion, or it's giving the developer more credit than they deserve. |
> forces a numeric context on both sides. If the "pass" variable contains a non-numeric string, numeric context will interpret it as NaN ("not a number") NaN > 40017 is false NaN < 40017 is also false NaN == NaN is false as well |
|
So... taking everything into account... this code is STILL BROKEN
"90210" will work, as it should "90209" and "90211" will fail, as they should But ANY five-character password that numifies to NaN will also work, which is an error. |
|
You're all missing the big question here - Is viewing the page source to obtain the password a violation of the DMCA?
|
Not quite generating an error... IIRC in javascript (string > number) or vice versa will always be false. So for this rather complex password system, any 5-character alphabetic string will be accepted. (Just checked with the javascript console in firefox, and this code apparently does consider "hello" to be the correct password) |
Because normally it's "3l337." :) |
|
So if someone enters "abcde" as a password it lets you in because it makes it through all the preliminary ifs and then the = vs == bug kicks in?
|
Rue the day something like THAT goes to court. |
|
i once saw some similar js in a "are you a good hacker" series.
|
|
Quite a few adult sites had these genious JS passwd protections back in
the good old days. It was actually quite fun just surf around different sites to find out what they had tried out. Oh boy the amount of free quality porn |
|
Leaving aside the fact that this code was available in the "View Source," it's apparent that the programmer wrote the if (pass = 90210) block first. He's using an assignment operator instead of the compare operator. I imagine that his initial tests allowed any password through because his if-block always returned true. Then, instead of discovering that he had an invalid operation in his if-block, he wrote the other tests to systematically filter out bad passwords. All I can say is ... wow! |
|
its a guessing game. They should have messages like "Ooh, nice try" or "try again, maybe a little lower."
Better, levenstein (sp?) distances comparing the password to the entered data, and to the last entered attempt, so the program could reply with "getting warmer...colder...warmer..." |
No, "abcde" would evaluate to zero, and 0 < 90210, so it'd fail. The code seems to work, albeit it stupidly. |
Nevermind. I forgot that string comparisons to numbers are always false. Any 5 character string would work. |
|
I guess the second var
pass = dataform.pass.value; was purely written out of frustration because he thought maybe the pass variable has magically changed to the correct password. I also have a tendency to write random obsolete code when I'm getting frustrated on a problem late at night, just so I can get the code to work. |
|
And they congratulate you for remembering it!
|
what's with all the other crazy javascript when you do a view source? |
|
Did anyone report this vulnerability to Bugtraq or the vulnerable site before publishing a working exploit?
|
'Clever' obfuscation? |
It would appear so, or someone else checked it. The code's been changed to something a *little* more obscure. But the password still works! |
|
Bob Hammer (Hammer Production Company) should become security
consultant. He improved the code. The password is not right there in the code anymore, instead it uses some freak numerology now. Beautiful. You know, someone should build an http server that can ask for a password for certain parts of your site. I'd PAY for that! And they also should somehow encrypt the traffic so that your passwords can't be sniffed. Oh wait, we can LEVERAGE the client's JAVASCRIPT CAPABILTIES for that! P.S.: CSIsW3CDOM = ((document.getElementById) && !(IsIE()&&CSBVers<6)) ? true : false; P.S.2: |
|
I can just hear the dev saying: "It's server side, see? The page sits on a server!"
|
|
Go here for a more sophisticated version of this wtf http://www.paidsurveysonline.com/ So there's just one password, and you'd just have to write a quick brute force program to start multiplying characters of strings together until you go that number. //Encrypted Password script- By Rob Heslop
|
[user="A Wizard A True Star"] Oh, come on. The real WTF here is that the target page is not protected whatsover. You can just copy&paste its URL in the address box and hit return to open it. Very usable. Ever seen a website where index.html will ask for a password, but all other pages will be ass-wide open? Including directory listing of directories with no index.html? Or the frameset page asks for a password, but the pages inside the frameset can be accessed directly? |
Ahh they need to optimise the for loop so that the dont have to calculate the string length in each loop. for(i = 0,iLen=password.length; i < iLen; i++) { There that fixed it. |
|
Not quite. Because of his less than complete
understanding of the way arrays work the first character of pass will be dropped when being transferred into K. Therefore any character followed by 4017 will result in an authenticated password. Unfortunately the redirection mechanism is location.href=pass+".html"; so you won't go to the right page if you give it an "incorrect" password even though it verified it. Good fun. |
My previous post was in reference to this post... |
LOL - wait for it, it will be tomorrows WTF I'm sure... and for job security? Because if they wanted to change the password from 90210 to, say, 90201 then he would have to be employed again long enough to change the true's and falses... |
|
C'mon, you are joking . Not even a first year CS student can be
this obviously stupid. Who QA'ed this code - he should be joining the programmer for Code Security Concepts 101 |
| « Prev | Page 1 | Page 2 | Next » |
Ytram:
