Comment On wtfuniversity.edu

Atleast this one was a 'Before Attending ...' instead of an 'I spent $30,000 there only to learn how to pick my nose and browse porn sites during class' .. Good choice in seeking an alternative university ...

What, they couldn't use the close-enough spelling page to route for the appropriate browser?

 

Blecky bleck. 111th.

Anyway, I hope there was a pubwww.dbo.grades, the author would have been stoked.

I need a WTFU t-shirt now.

    So, who besides me tried to go to the link?

captcha: captcha

Alex Papadimoulis:

<img src="/imgSrc?SELECT data FROM pubwww.dbo.imgs WHERE id=51">



...



<link rel="stylesheet" type="text/css" media="screen"

	href="/cssSrc?SELECT data FROM pubwww.dbo.csss WHERE id=18"

	/>

See, that's not too bad. If you think about it, using SQL to retrieve resources like that actually can -- I got nothing. However, I will end today on a good note. After his experience on their webpage, Mike decided that a graduate degree at WTFU just wasn't the right thing for him …

And a short time later, the images refused to load at all, almost as if the website content had DROPped off the face of the web...

R.Flowers:

Alex Papadimoulis:

<img src="/imgSrc?SELECT data FROM pubwww.dbo.imgs WHERE id=51">



...



<link rel="stylesheet" type="text/css" media="screen"

	href="/cssSrc?SELECT data FROM pubwww.dbo.csss WHERE id=18"

	/>

See, that's not too bad. If you think about it, using SQL to retrieve resources like that actually can -- I got nothing. However, I will end today on a good note. After his experience on their webpage, Mike decided that a graduate degree at WTFU just wasn't the right thing for him …

And a short time later, the images refused to load at all, almost as if the website content had DROPped off the face of the web...

Bad pun.

Bad, bad pun.  Sit! pun.

R.Flowers:

Alex Papadimoulis:

<img src="/imgSrc?SELECT data FROM pubwww.dbo.imgs WHERE id=51">



...



<link rel="stylesheet" type="text/css" media="screen"

	href="/cssSrc?SELECT data FROM pubwww.dbo.csss WHERE id=18"

	/>

See, that's not too bad. If you think about it, using SQL to retrieve resources like that actually can -- I got nothing. However, I will end today on a good note. After his experience on their webpage, Mike decided that a graduate degree at WTFU just wasn't the right thing for him …

And a short time later, the images refused to load at all, almost as if the website content had DROPped off the face of the web...

<img src="/imgSrc?DROP TABLE pubwww.dbo.imgs ">

wheeeeeee!

Anonymous:

    So, who besides me tried to go to the link?

captcha: captcha

I did!

Their Registrar probably shut them off for forgetting to sign the check.

At least the WTFU is covered if the W3C decides to invalidate the A tag.

ParkinT:

R.Flowers:

And a short time later, the images refused to load at all, almost as if the website content had DROPped off the face of the web...

Bad pun.

Bad, bad pun.  Sit! pun.

If you don't rub my face in it, I'll never learn!

Anonymous:

    So, who besides me tried to go to the link?

captcha: captcha

Looking for something?  Don't bother.  I took care of the faulty site.

In the meantime, can I offer some degrees in whatever field of choice?  Real cheap!

Anonymous:

<img src="/imgSrc?DROP TABLE pubwww.dbo.imgs ">

wheeeeeee!

I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)

So is this site still live?  I would love to browse it in FireFo.

Yes it is, and that is why the end user should never, ever, ever see SQL.  If you have to allow user input for queries (as in a form variable to retrieve data), the LEAST you can do is rigorous validation.  Something like this I have never and hope to God will never ever see again.  It's like the developer is creating a honeypot for 13 year olds.

Alex Papadimoulis:

  

function clickto(navId) {

	var url = getUrlFromNavId(navId);

	if (isBrowserIE()) {

		navToUrlForIE(url);

	} else if (isBrowserNetscape()) {

		navToUrlForNetscape(url);

	} else if (isBrowserFirefox()) {

		navToUrlForFirefo(url);

	} else {

		window.location = url;

	}

}

Is it just me or does that url really needs to be encoded specifically for a certain browser? There must be areason behind that, though I can't think of one...

Oh wait, maybe it redirects to a page specific to a browser... nevermind...

Alex Papadimoulis:

  

<img src="/imgSrc?SELECT data FROM pubwww.dbo.imgs WHERE id=51">

WebAdmin: "Not again! This is the 42nd time our db gets corrupted this week! Stupid database!"

Alex Papadimoulis:

<img src="/imgSrc?SELECT data FROM pubwww.dbo.imgs WHERE id=51">



...



<link rel="stylesheet" type="text/css" media="screen"

	href="/cssSrc?SELECT data FROM pubwww.dbo.csss WHERE id=18"

	/>

Bah, no problem here.  All they need to do is protect it with Injection Rejection

snoofle:

Anonymous:

<img src="/imgSrc?DROP TABLE pubwww.dbo.imgs ">

wheeeeeee!

I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)

 

My last post was in reply to the above quoted message, not the site being live post.

Anonymous:

a honeypot for 13 year olds.

<ding>

What is "myspace.com," Alex?

John Bigboote:

Anonymous:

a honeypot for 13 year olds.

<ding>

What is "myspace.com," Alex?

A swimming pool for 13 year olds.

Anonymous:

Blecky bleck. 111th.

Anyway, I hope there was a pubwww.dbo.grades, the author would have been stoked.

Even better would be pubwww.dbo.transcripts,  Gives new meaning to the "Earn your degree ONLINE!!!"  ads.

I think the image should say:
EST. 19NaN


just a thought

snoofle:

Anonymous:

<img src="/imgSrc?DROP TABLE pubwww.dbo.imgs ">

wheeeeeee!

I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)

It's more of a database issue than a web issue.  Any application communicating with a database is vulnerable.

<img src="/imgSrc?EXEC master..xp_regdeletekey @rootkey='HKEY_LOCAL_MACHINE', @key='SOFTWARE">

This would be a fun one!

snoofle:

Anonymous:

<img src="/imgSrc?DROP TABLE pubwww.dbo.imgs ">

wheeeeeee!

I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)

This is actually not SQL injection. SQL injection involves you putting your query into a string that you know will be used in the query. This, on the other hand, lets you construct your own query without having to fool the query constructor code, as there is none. This leaves SQL open to anyone to do anything with ease. This is by far the least secure design I think I have ever seen in use by a company/institution. I really hope they were brutally attacked. If you construct something like this, not only do you deserve to be hacked, but you NEED to be hacked.

ParkinT:

John Bigboote:

Anonymous:

a honeypot for 13 year olds.

What is "myspace.com," Alex?

A swimming pool for 13 year olds.

You don't watch Jeopardy much do ya?

The weird thing is that the SQL statement isn't even getting passed as a parameter properly. The URL "/cssSrc?SELECT data FROM pubwww.dbo.csss WHERE id=18" sends you to the page /cssSrc, with a URL parameter of "SELECT_data_FROM_pubwww_dbo_csss_WHERE_id" set to "18". Unless cssSrc just does pattern matching on the URL ... which it well might.

OneMHz:

ParkinT:

John Bigboote:

Anonymous:

a honeypot for 13 year olds.

What is "myspace.com," Alex?

A swimming pool for 13 year olds.

You don't watch Jeopardy much do ya?

Wha's Jeopardy ?

Anonymous:

I think the image should say:
EST. 19NaN

Or:
EST. 19102

Anonymous:

The weird thing is that the SQL statement isn't even getting passed as a parameter properly. The URL "/cssSrc?SELECT data FROM pubwww.dbo.csss WHERE id=18" sends you to the page /cssSrc, with a URL parameter of "SELECT_data_FROM_pubwww_dbo_csss_WHERE_id" set to "18". Unless cssSrc just does pattern matching on the URL ... which it well might.

That assumes proper CGI parsing of the URL. Based on everything else in the WTF, it's quite likely that the "cssSrc" application just gets a raw URL, and does its own parsing.

Anonymous:

The weird thing is that the SQL statement isn't even getting passed as a parameter properly. The URL "/cssSrc?SELECT data FROM pubwww.dbo.csss WHERE id=18" sends you to the page /cssSrc, with a URL parameter of "SELECT_data_FROM_pubwww_dbo_csss_WHERE_id" set to "18". Unless cssSrc just does pattern matching on the URL ... which it well might.

I think you're giving them WAY too much benefit-of-the-doubt. Looks like the cssSrc just executes the querystring outright. Assuming that they're doing pattern matching based on the degree of ineptitude we've already seen is like saying "well, he left his keys in the ignition with the doors unlocked, but there's probably a retinal scanner in the visor mirror."

John Bigboote:

Anonymous:

a honeypot for 13 year olds.

<ding>

What is "myspace.com," Alex?

I'm sorry, we were looking for "Pamela Rogers." But you retain control of the board...

GoatCheez:

snoofle:

Anonymous:

<img src="/imgSrc?DROP TABLE pubwww.dbo.imgs ">

wheeeeeee!

I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)

This is actually not SQL injection. SQL injection involves you putting your query into a string that you know will be used in the query. This, on the other hand, lets you construct your own query without having to fool the query constructor code, as there is none. This leaves SQL open to anyone to do anything with ease. This is by far the least secure design I think I have ever seen in use by a company/institution. I really hope they were brutally attacked. If you construct something like this, not only do you deserve to be hacked, but you NEED to be hacked.

To put it metaphorically, if SQL incection is sneaking into a secured building through the sewers, this is walking right through the front door.

Anonymous:

GoatCheez:

snoofle:

Anonymous:

<img src="/imgSrc?DROP TABLE pubwww.dbo.imgs ">

wheeeeeee!

I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)

This is actually not SQL injection. SQL injection involves you putting your query into a string that you know will be used in the query. This, on the other hand, lets you construct your own query without having to fool the query constructor code, as there is none. This leaves SQL open to anyone to do anything with ease. This is by far the least secure design I think I have ever seen in use by a company/institution. I really hope they were brutally attacked. If you construct something like this, not only do you deserve to be hacked, but you NEED to be hacked.

To put it metaphorically, if SQL incection is sneaking into a secured building through the sewers, this is walking right through the front door.

lol... yeah... I envision a huge building that represents the site. The front doors have locks, however the building doesn't have any walls.... So, even though their doors are locked, you just have to step to a side and keep walking to get through lol.

This is real site of a real University? prove it Alex. post the link!

 

Captcha: java

GoatCheez:

This is by far the least secure design I think I have ever seen in use by a company/institution.

Let's don't forget client side PHP! It's an all-in-one solution to your problems, not only SQL injection, but pretty much *anything* injection.

Of course, let's hope that it was no company/institution design.

I guess the javascript function to fetch an URL from the span ID used XmlHttpRequest to get the correct URL in a web2.0 and ajaxy fashion. Of course, the XML file called was:
/xmlSrc?SELECT url FROM pubwww.dbo.links WHERE id=*id*

Oh. My. GOD.

I've known people who didn't test their web code... MADDENING, it is.

Kodi:

OneMHz:

ParkinT:

John Bigboote:

Anonymous:

a honeypot for 13 year olds.

What is "myspace.com," Alex?

A swimming pool for 13 year olds.

You don't watch Jeopardy much do ya?

Wha's Jeopardy ?

Correct.  That's it for "Game Shows for Pretentious Know-it-alls"; please choose another category...

GoatCheez:

Seriously, what is up with GoatCheez's picture... it creeps me out.  Who/what is it?

Raider:

...only to learn how to pick my nose and browse porn sites during class...

Ah, physics and chemistry class...how I miss thee.

Anonymous:

GoatCheez:

Seriously, what is up with GoatCheez's picture... it creeps me out.  Who/what is it?

It's a police composite sketch of Cartman from an episode of South Park.

Hypothetically, if the cssSrc app used a DB user with extremely limited rights (say, only SELECT on that single table), how much damage could a cracker do?

Not that I expect WTFU to be smart enough for that.

John Bigboote:

Anonymous:

GoatCheez:

Seriously, what is up with GoatCheez's picture... it creeps me out.  Who/what is it?

It's a police composite sketch of Cartman from an episode of South Park.

If my timeline is correct, it was first done for a Fark photoshop contest a few years ago: "Photoshop your favorite cartoon characters in real life." I think it was the winning entry; the entrant sketched out the four kids from SP as real kids.

Parker and Stone saw it and used it in an upcoming episode.

themagni:

John Bigboote:

Anonymous:

GoatCheez:

Seriously, what is up with GoatCheez's picture... it creeps me out.  Who/what is it?

It's a police composite sketch of Cartman from an episode of South Park.

If my timeline is correct, it was first done for a Fark photoshop contest a few years ago: "Photoshop your favorite cartoon characters in real life." I think it was the winning entry; the entrant sketched out the four kids from SP as real kids.

Parker and Stone saw it and used it in an upcoming episode.

Awesome. Shades of Snakes on a Plane.

Alex Papadimoulis:

 

WTF University, I will miss Thee. Think of the WTFU Alma Mater 

By the way, you can't spell wtfuniversity without 'F' 'U' 'N' !

snoofle:

Anonymous:

<img src="/imgSrc?DROP TABLE pubwww.dbo.imgs ">

wheeeeeee!

I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)

sql injection is actually done by entering specially formed sql snippets in input areas on a form in the hopes of finding out that the site uses dynamic sql strings...

This isn't injection, this is way easier, almost invited. Good god.  I can see it now "Meh, the average user doesn't ever look at the source, and if they do, they won't realize what this is."

I want to hear the update that the DROP scenario actually happened.

or maybe the year should be 19101? :D

themagni:

John Bigboote:

Anonymous:

GoatCheez:

Seriously, what is up with GoatCheez's picture... it creeps me out.  Who/what is it?

It's a police composite sketch of Cartman from an episode of South Park.

If my timeline is correct, it was first done for a Fark photoshop contest a few years ago: "Photoshop your favorite cartoon characters in real life." I think it was the winning entry; the entrant sketched out the four kids from SP as real kids.

Parker and Stone saw it and used it in an upcoming episode.

In all honesty, I always thought it was a portrait or a drawing of him.
Is that a bad assumption?

Mike Rod

Searching for "navToUrlForFirefo" in Google didn't yield any results so I'd say that they at least knew how to use the robots.txt file. So we can forget about DROPping any tables...

snoofle:

I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)

Not really...SQL injection implies that you're putting arbitrary SQL code somewhere that its not supposed to go. like a password field you put

OR 1=1

So that the complete query looks like
select * from users where user_name="<username>" and password="<password>" or 1=1

This defeats the password.

But given that they're arbitrarility executing whatever gets passed in there, its not really SQL injection, its more like a goofy SQL ad-hoc intepreter.

But yes, "bad" is one way to describe it.

Forgot that HTML crap... Who's the girl playing foosball whose left breast we're all oogling, what's what I want to know!