Photo credit: 'Life in LDN' at FlickrWhen Glen Sommers was hired to add some features to a Cold Fusion based web application for a non-profit organization, he wasn't surprised by the quality he found, instead he expected it.

The application, whose sole purpose was to manage registrations for a organization's annual conference, was a learning experience for the original developer (who apparently did the work for free).  Among its many WTF's, the app used a grand total of 1 database table with 50+ columns with generic names like PackageOne, PackageTwo, PackageThree, and so on, but The Real WTF™ was the application's security...or rather, the lack thereof.

The URL Hack

When a prospective attendee wants to register for a conference, he or she first must sign in through the main page and then, if successful, would be redirected to a menu screen.  From there, they can select a conference, enter their name, address, desired conference location, date, time, etc.  During testing his changes, using the account for dummy attendant Mr. Nosmo King of Sheboygan, Wisconsin, Glen noticed that every URL in the system ended in "somepage.htm?10034"

Playing devil's advocate, he ticked the number at the end of the URL down by one and refreshed the page.  Suddenly, he found himself viewing the user details of Greg Smith.  Glen tried reproducing his test on the live system and confirmed that not only could he pull up any user's information ...but, more frighteningly, without first having to sign in.

Glen called a meeting with the Director where he demoed what he found.

"What you have here seems serious - how long would it take to fix?" asked the Director.

"About 16 hours to change, test, and..." Glen began, before getting cut off...and shot down.

"No, no...I don't think we can squeeze that one in right now with the conference 'peak season' starting so soon," began the Director, "Besides, it's not like we're storing credit card info!"

Clerical Horror!

A few months after completing his assignment with the non-profit, the Director calls up out of the blue.

"Hey Glen, we're getting some weird behavior with one of the spreadsheets that was sent out," began the Director, "One of the attendees says that when they view their schedule, sometimes they're getting information for other random attendees."

Glen requested the Director to forward to him a copy of one of the spreadsheets after poking around, what he found was ...curious.  Just on happenstance, Glen clicked on a seemingly harmless, empty cell on the spreadsheet, and was surprised to find that he was able to see information for a random conference attendee.  In fact, upon further inspection, the spreadsheet contained links to ALL conference attendees that were to attend any of the upcoming conferences.

Unsure of how the office was even creating these oddball spreadsheets (since the original coder couldn't have added a such a whiz-bang feature) Glen came into the office to get to the bottom of things and, within minutes, he had his explanation.  What happened was that when anyone requested a spreadsheet to be sent out, the office personnel would generate a listing for all attendees that had registered for any future conferences and deleted any un-needed records rather than copy the needed records to a new spreadsheet.  Basically, a "feature" in Excel was keeping the URLs to records in the "Link to Attendee Record" column even though the visible text was being cleared. 

Holding back the strong urge to begin his meeting with the Director with a "Nyah, nyah, told you so", Glen presented his findings to the Director.   However, this time, rather than argue about cost or effort, Glen was told to get straight to work.  It was eventually revealed through the grapevine was that two ego-driven conference attendees had accidentally clicked on each others' records and found that while one was staying at the HampTone Inn, the other was staying at the ritzy Worthington Arms Hotel and was to receive a bowl of Red M&M's upon arrival. To make matters worse, they both were co-presenters.  With conference attendees being a somewhat close-knit bunch, word spread, and with everybody was sticking their noses in everybody else's records things got a bit heated after that.  The Director ultimately was forced to take the reservation system down (read:unplug the network cable to the application's server) or face losing all of the organization's registered conference attendees.  Suddenly, after having to do damage control and process reservations over fax and snail mail, money was no object and 16 hours of effort was a complete bargain.