- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Dude, you need to blur more of the address. All you have to do is Google the visible part of the URL to get the rest.
Admin
Fixed. Thanks Barry/
Admin
Actually its quite easy to change hidden form fields if you have something like Document Examiner for IE which lets you change any page property on the fly.
Admin
Or Firefox's Web Developer toolbar which converts POSTs to GETs
Admin
Jim - that's the point. ("WHOOSH")
Admin
I don't get it, did he change display=events to display=passwords%20and%20credit%20card%20numbers?
Admin
I ran across something similar on a magazine's web site. The subscription link ended in "/sub/dv?wp=wppaid". You'll never guess how I got a free subscription...
Admin
"While I doubt you fellows would be able to hack that,..."
Nice way to insult your readership :rolleyes:
Admin
Nice way to miss sarcasm.
File->Save As, Open Saved File, Change Variables, Post
Admin
:lol:
great example
Admin
it could be eg:
www.umaine.edu/call/calendar/calendar.pl
www.umwestern.edu/calendar/ calendar.pl?config=calendar.cfg
google
Admin
Funny = true;
Admin
<< "While I doubt you fellows would be able to hack that,..."
Nice way to insult your readership :rolleyes:>>
Well, this is a site predominantly for Microsoft / VB / C# programmers, so....
Admin
search for inurl:admin=false, and you'll find this is not an unpopular construct.
Admin
Good job obfuscating the image r_AdminEqFalse2.gif. Hey, if there's a two, maybe there's another image with a one? Or possibly no number? Wow, what do you know! The real WTF here, though, is this post editor. What a piece of crap!
PS. You can try PNG. It won't bite.
Admin
Speaking of obfustication, just change the form variable to nqzva, and look for values of either snyfr or gehr. There, problem solved.
--ls
Admin
"The system was quickly secured by making “admin“ a hidden form variable."
... Except it's still open to the same abuse. :p
There is a Greasemonkey script to convert all hidden form fields into text fields... so you must assume that ANY HIDDEN FORM FIELD CAN BE CHANGED AT WILL. The end lesson of this is to never use form fields.
The same applies to cookies... they can be changed. Do not use them for data the user is not supposed to see or change.
If you must use either, use a value that can not be easily changed to anything else meaningful (like a session id value).
Admin
Really? Are you serious?
Read the rest of the original post genius. Everyone knows that the "solution" was no solution at all.
sincerely,
Richard Nixon
Admin
Wrong. Forms are fine. They work great. The moral of the story is to NEVER trust input sent from the browser. Period.
That alone will not suffice. See phpsec.org for details.
Admin
Thats the point, changing it to hidden does nothing its still a GET
Gotta whip out those <sarcasm> tags more often gentlemen/ladies ;)
Admin
Anyone remember Shadowbane? The game where "Play to Crush" became "Pay to Crash"? They had their CSR privilege toggle client-side.
If I recall correctly, someone in a guild called Rolling 30's found out about this. They flipped the switch. Initially they just used it to give themselves whatever they wanted, gold, gear, city improvements, whatever, and after a while they got bored and quit Shadowbane ... but before they did, they went wild. They did stuff like moving player cities (with their inhabitants) to the bottom of the ocean, that kind of thing. They destroyed what was left of the economy, they cost thousands of users their stuff (not least because the developers had neglected to write any effective admin tools to log or fix things), and made a royal mess.
The company had to do a 3-day rollback to fix the resulting unholy mess. Or they tried; being Wolfpack, they did a half-assed job and botched the whole thing, but what do you expect from a company that puts the godmode switch in the client?
Incidentally, there are people to this day who think that was the most interesting thing that ever happened in Shadowbane. They may have a point.