I hate the final stretch of a project; it's when all the minor bugs that I've been putting off fixing need to get fixed. An anonymous submitter that we'll call Scott was brought on for the final round of fixes of a large, vendor-built application.
Scott's first task was to fix a simple little issue in the admin section of the site. He opened the project and read an ominous line of code right at the top of the file:
<CFINCLUDE TEMPLATE="../../include_admin_security.cfm"/>
OK, Scott, he thought to himself, for whatever reason not thinking his real name, this is probably nothing to worry about. An include file might not be the most elegant way to do this, but I'm sure the code is OK.
Scott navigated to include_admin_security.cfm and opened it up. Take a deep breath and read on.
<CFIF Not IsDefined('cookie.admin')> <script language="JavaScript"> alert("You do not have permissions to view this area"); window.open('index.cfm','_self') </script> <CFELSE> <CFIF cookie.admin is 'No'> <script language="JavaScript"> alert("You do not have permissions to view this area"); window.open('index.cfm','_self') </script> </CFIF> </CFIF>
Admin privileges are stored in cookies. The cookie value must be undefined or "No" in order for someone to have admin privileges. If cookie.admin is "Yes", "Whatever", or "Fidelio", or anything but "No", you're in. Of course, if you're a sophisticated hacker that knows how to turn off JavaScript, that'll work, too. And if that's the case, thanks for visiting this site, Neo!
Well, Scott's still working on this system that could be hacked by anyone that's seen the trailer for "Swordfish." It's been in the last phase of development since April.