• chris (unregistered) in reply to ChefJoe
    ChefJoe:
    da Doctah:
    Dan F:
    As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
    I always chuckle when I think of the colleague who, while moonlighting, set up a Realtor's site with music that plays automatically and can't be shut off (which we'll call WTF #1), and how proud she was that she'd discovered the ideal piece of music for the purpose (which we'll call WTF #2):

    Pachelbel's Canon in D.

    In MIDI I hope. I prefer to listen to all my music in MIDI so I know that the notes are exactly the ones the artist intended.

    Agreed - a lot of modern musicians seem to struggle with some of the real classics.
  • Ryan (unregistered) in reply to JAPH

    "TRWTF is that the result set of that query isn't used in a meaningful way. Sure, we cycle over every row returned, but in each cycle we compare the user-supplied password to "star" instead of the appropriate table column."

    Man, nothing gets by you.

  • G (unregistered) in reply to Ryan
    Ryan:
    "TRWTF is that the result set of that query isn't used in a meaningful way. Sure, we cycle over every row returned, but in each cycle we compare the user-supplied password to "star" instead of the appropriate table column."

    Man, nothing gets by you.

    Your sarcasm would have been adequate, if there were not already three pages of other comments that still do not get the "obvious".

  • John Hensley (unregistered)

    TRWTF is calling images on a web site "polaroids." Who does this?

  • Abico (unregistered) in reply to John Hensley
    John Hensley:
    TRWTF is calling images on a web site "polaroids." Who does this?
    I could be wrong, but I took it to literally mean scans of Polaroids.
  • JJ (unregistered) in reply to Smarty Tablets
    Smarty Tablets:
    2) The password is checked (repeatedly), but not against anything in the DB
    I just want to make one thing clear: When the password is correct, the rows are not iterated. This is because Response.Redirect is basically like a return statement: execution ends immediately. The recordset will only be fully (and uselessly) iterated when the password is incorrect.
  • COMIC SAAAAAAANS! (unregistered)

    Hell, why not go the whole hog?

    Who would trust their home with someone who used Comic Sans?
  • (cs) in reply to COMIC SAAAAAAANS!

    Who would trust their home with someone who DIDN'T use Comic Sans?

    Sidenote: browser.blink_allowed: false FTW!

  • Lachlan (unregistered)

    Am I reading this wrong? I don't know VB (well it looks like VB), but doesnt:

    If Request("Password") = "star" Then

    Assign the value "start" to Request("Password"), thus returning true and letting anyone log in?

  • T.R. (unregistered) in reply to Lachlan
    Lachlan:
    Am I reading this wrong? I don't know VB (well it looks like VB), but doesnt:

    If Request("Password") = "star" Then

    Assign the value "start" to Request("Password"), thus returning true and letting anyone log in?

    No, the "=" operator here tests for equality, it's not an assignment operator. "=" is ambiguous in VB etc? this is why C-like languages use "==" for equlity test and "=" for assignment.

    Actually what this code does is quite simple : It loops through the DB records and for each record found, compares the user supplied password with "star".

    So you will get looged in if both of the following conditions are true :

    1. You supplied "star" as password in your request, perhaps by adding "?Password=star" in the url. 2.The DB table has at least one record.
  • MrBester (unregistered)

    Jesus fucking bald-headed Christ in a sidecar drinking Slippery Nipples. It says twice in the article (once implied by the filename) that this is Classic ASP. If you don't know either of the possible languages the code could have been written in (this one used VBScript. Not VB, not VB.NET) then please STFU and stop assuming every language works like C++ even when it doesn't fucking look remotely similar.

    If there are no records in the recordset then no login will succeed. You could argue that this is correct behaviour as there is no user record to "check" against but it is purely coincidental.

    If any property of any of the 5 collections that Request can look through is called "password" (case insensitive FTW) and contains the value "star" then the login succeeds. If the value is not "star" or the property doesn't exist then no login succeeds.

    Therefore there is one password, irrespective of username (which is ignored anyway).

  • Pants (unregistered)

    I wager the reason the injection worked is buried in the missing context. Does the session being logged do anything? Do you get a redirect to the same page even if your credentials are invalid?

    A person who iterates through all the records in a table while comparing two values that have no relation to the db data is the same person who knows sessions are important but does do anything other than log you in.

    Then again, maybe the session variable didn't get cleared. He had one good log in and then could punch in literally anything. Yeah. I'm changing my vote to this.

  • wernsey (unregistered)

    Several days late already, but please let me have a try:

    1. He walks over to Judy's computer and opens the browser on the login page.
    2. The username and password is saved because Judy clicked "Yes" on the "do you want internet explorer to save this password?" prompt without actually reading it.
    3. He replaces the username field with ' OR 1=1;--
    4. The password stays ****
    5. He logs in successfully, thus proving that there's a SQL injection vulnerability.
    6. When he looks at the code he discovers that the situation is a bit different.

    As always, TRWTF is the comments.

  • Neil (unregistered) in reply to Lorne Kates
    Lorne Kates:
    color=red;text-decoration: blink;font-family:Comic Sans MS, cursive, sans-serif;font-size:36pt
    Wait, BBCode injection attack?
    Lorne Kates:
    Sidenote: browser.blink_allowed: false FTW!
    Sorry, but that no longer suffices; see http://jsfiddle.net/CLKEw/ for example.
  • Seele (unregistered) in reply to JC

    It matters because the vulnerability allows anyone to log in as site administrator and do pretty much anything - deface the website, steal confidential client data etc.

  • stackozone (unregistered) in reply to Dan F

    On the other hand, http://www.bubbleinfo.com seems to be pretty decent.

  • Axel (unregistered)

    Realtor web services should all be written in J2EE, right? Because as we all know, Java is for closers.

    (...ducks, runs...)

Leave a comment on “Real Security”

Log In or post as a guest

Replying to comment #:

« Return to Article