• Barry E. (unregistered)

    Dude, you need to blur more of the address. All you have to do is Google the visible part of the URL to get the rest.

  • Alex Papadimoulis (unregistered)

    Fixed. Thanks Barry/

  • Jim Bolla (unregistered)

    Actually its quite easy to change hidden form fields if you have something like Document Examiner for IE which lets you change any page property on the fly.

  • RichB (unregistered)

    Or Firefox's Web Developer toolbar which converts POSTs to GETs

  • InfoBasis (unregistered)

    Jim - that's the point. ("WHOOSH")

  • Jake Vinson (unregistered)

    I don't get it, did he change display=events to display=passwords%20and%20credit%20card%20numbers?

  • Dewayne Christensen (unregistered)

    I ran across something similar on a magazine's web site. The subscription link ended in "/sub/dv?wp=wppaid". You'll never guess how I got a free subscription...

  • Tom Archer (unregistered)

    "While I doubt you fellows would be able to hack that,..."

    Nice way to insult your readership :rolleyes:

  • Alex Papadimoulis (unregistered)

    Nice way to miss sarcasm.

    File->Save As, Open Saved File, Change Variables, Post

  • tty01 (unregistered)

    :lol:
    great example

  • P" (unregistered)

    it could be eg:

    www.umaine.edu/call/calendar/calendar.pl

    www.umwestern.edu/calendar/ calendar.pl?config=calendar.cfg

    google

  • Salman (unregistered)

    Funny = true;

  • Eric Goldberg (unregistered)

    << "While I doubt you fellows would be able to hack that,..."

    Nice way to insult your readership :rolleyes:>>

    Well, this is a site predominantly for Microsoft / VB / C# programmers, so....

  • Pendant (unregistered)

    search for inurl:admin=false, and you'll find this is not an unpopular construct.

  • anony moose (unregistered)

    Good job obfuscating the image r_AdminEqFalse2.gif. Hey, if there's a two, maybe there's another image with a one? Or possibly no number? Wow, what do you know! The real WTF here, though, is this post editor. What a piece of crap!

    PS. You can try PNG. It won't bite.

  • ls-laF (cs) in reply to anony moose

    Speaking of obfustication, just change the form variable to nqzva, and look for values of either snyfr or gehr. There, problem solved.

    --ls

  • The MAZZTer (unregistered)

    "The system was quickly secured by making “admin“ a hidden form variable."

    ... Except it's still open to the same abuse. :p

    There is a Greasemonkey script to convert all hidden form fields into text fields... so you must assume that ANY HIDDEN FORM FIELD CAN BE CHANGED AT WILL.  The end lesson of this is to never use form fields.

    The same applies to cookies... they can be changed.  Do not use them for data the user is not supposed to see or change.

    If you must use either, use a value that can not be easily changed to anything else meaningful (like a session id value).

  • Richard Nixon (cs) in reply to The MAZZTer
    Anonymous:
    "The system was quickly secured by making “admin“ a hidden form variable."

    ... Except it's still open to the same abuse. :p



    Really? Are you serious?

    Read the rest of the original post genius. Everyone knows that the "solution" was no solution at all.

    sincerely,
    Richard Nixon

  • kenman (cs) in reply to The MAZZTer
    Anonymous:
    There is a Greasemonkey script to convert all hidden form fields into text fields... so you must assume that ANY HIDDEN FORM FIELD CAN BE CHANGED AT WILL.  The end lesson of this is to never use form fields.

    The same applies to cookies... they can be changed.  Do not use them for data the user is not supposed to see or change.


    Wrong. Forms are fine. They work great. The moral of the story is to NEVER trust input sent from the browser. Period.

    Anonymous:
    If you must use either, use a value that can not be easily changed to anything else meaningful (like a session id value).


    That alone will not suffice. See phpsec.org for details.
  • jminkler (cs) in reply to The MAZZTer

    Thats the point, changing it to hidden does nothing its still a GET

     

    Gotta whip out those <sarcasm> tags more often gentlemen/ladies ;)

  • WW (unregistered)

    Anyone remember Shadowbane? The game where "Play to Crush" became "Pay to Crash"? They had their CSR privilege toggle client-side.

    If I recall correctly, someone in a guild called Rolling 30's found out about this. They flipped the switch. Initially they just used it to give themselves whatever they wanted, gold, gear, city improvements, whatever, and after a while they got bored and quit Shadowbane ... but before they did, they went wild. They did stuff like moving player cities (with their inhabitants) to the bottom of the ocean, that kind of thing. They destroyed what was left of the economy, they cost thousands of users their stuff (not least because the developers had neglected to write any effective admin tools to log or fix things), and made a royal mess.

    The company had to do a 3-day rollback to fix the resulting unholy mess. Or they tried; being Wolfpack, they did a half-assed job and botched the whole thing, but what do you expect from a company that puts the godmode switch in the client?

    Incidentally, there are people to this day who think that was the most interesting thing that ever happened in Shadowbane. They may have a point.

Leave a comment on “Admin=False”

Log In or post as a guest

Replying to comment #:

« Return to Article