• John Kugelman (unregistered)

    This is pretty much par for the course for web applications. In my experience insecure, poorly-designed web apps are the rule, not the exception. This doesn't make me scream "WTF!", just roll my eyes.

  • (cs)
    Alex Papadimoulis:

    It turned out that Tom was very skeptical that it could provide the same features that his system did.

    Well I do certainly believe it couldn't.

  • KattMan (unregistered)

    Sadly this kind of "no one will figure it out" mentality is all to common.  You can do everything in your power to protect your identity, but idiots like this will always give your information away freely to anyone with two working brain cells.

  • Anon (unregistered)

    Reminds me of Yale's stellar online admissions... that was cracked by Princeton admissions officers who were not technical enough to have an electronic application process themselves.

  • andyl (unregistered) in reply to John Kugelman
    Anonymous:
    This is pretty much par for the course for web applications. In my experience insecure, poorly-designed web apps are the rule, not the exception. This doesn't make me scream "WTF!", just roll my eyes.


    I agree 100%

    The company I work for purchased a one-man web company a couple years ago. Among the atrocities we found was an online store site that stored plain text credit card numbers in a web accessable directory
  • verisimilidude (unregistered)

    Well, if the PDFs were stored in a publicly accessable directory was there anyway to upload them?  Changing one bad grade in your own school's system is one thing.  Changing your entire transcript and polishing the letters of recommendation before the grad admission committee gets a look would be a total coup!

  • Elwillow (unregistered)
    Alex Papadimoulis:

    Tom response, "Well, you were only able to access them because you're familiar with the technical details of the system. No one else would ever be able to actually figure that out on their own. But, go ahead and work on those other issues you found."



    I think he isn't aware of the "rest of the world", you know, outside your basement ^_^

    I hope his manual process was safer, maybe they did scan his document, shred and archive them ;)
  • (cs) in reply to KattMan
    Anonymous:

    Sadly this kind of "no one will figure it out" mentality is all to common.  You can do everything in your power to protect your identity, but idiots like this will always give your information away freely to anyone with two working brain cells.



    Here in the UK, you can sue idiots like this for giving your information away.
  • l1fel1ne (unregistered)

    Security through obscurity I say!

    I mean honesty, what are the chances they would think to increment 234.pdf

    Quit getting your panties in a bunch.

    -Tom

  • doc0tis (unregistered)

    Wow, this is such a simple "hack"? (Can you call this a hack)

    This guy should be demoted to be under the command of some student.

    --doc0tis

  • Dazed (unregistered) in reply to John Kugelman
    Anonymous:
    This is pretty much par for the course for web applications. In my experience insecure, poorly-designed web apps are the rule, not the exception. This doesn't make me scream "WTF!", just roll my eyes.

    It would have made me scream WTF until fairly recently but yes, it is awfully common.

    OTOH, the fact that it is common doesn't make it any less appalling. If a company wants to screw itself up, that's its own business, but if it's screwing other people like this, I think I'd play it hard:

    1. write a memo to the perpetrator, CC his manager, saying I think this design is unacceptable;
    2. if still no reaction, contact a newspaper or television program that makes hay with this sort of material (directly, or get a friend to do it).
  • (cs)

    i am the "TOM" you speak of and i don't appreciate the lies you print

  • (cs)

    A little boring story

    I bet Tom's 10+ years of experience is a bluff to make this story more "wtf-worthy"

    Mike Rod

  • (cs)
    Alex Papadimoulis:

    Tom believed that [...] he was The Chosen One, responsible for introducing "his students" into the Real World.

    [...]

    Tom's famous words: "they pay me a *lot* of money to do this sort of thing; I know what I'm doing."

    [...]

    Naturally, access to these documents was not restricted in any way.

    [...]

    Tom response, "No one else would ever be able to actually figure that out on their own."

    Introduction to what students will find in the Real World, indeed.

  • WHO WANTS TO KNOW? (unregistered)

    If ONLY this happened decades earlier!  THEN, I could blame tom for creating "child proof" caps!  They take a half second or so to open, sometimes break, and NEVER keep any half way intelligent child out!  But DON'T WORRY....Tom would probably say "But kids can't read until 3rd grade, and will NEVER figure it out!"!  Never mind that both statements are false.

    It's a pity.  Jims advice was simple to implement, would require almost no code changes, etc...  He COULD have suggested writting a report program, and having the data sent to the main office, as should have been done in the first place.  Less hassle/work and more security.

    Steve

  • Unklegwar (unregistered) in reply to John Kugelman
    Anonymous:
    This is pretty much par for the course for web applications. In my experience insecure, poorly-designed web apps are the rule, not the exception. This doesn't make me scream "WTF!", just roll my eyes.


    Side WTF here...what's with the ubiquitous attitude among posters on this forum that their experience is sooooo encompassing that they can make comments like "most blah blah blah sucks" or "almost all blah blah blah is insecure". What egos!

    Quite a stretch to assume that your vast experience (sounds a lot like Tom, actually) qualifies you to evaluate what is par for web applications in general. I'm quote confident that your exposure to web applications is but a drop in the bucket of all web applications.

    Anyway.

    This sounds like exactly the scenario issue I recently approached my managers with. After reading thru specs for a file download area of an application, I realized the same thing. Filenames were completely guessable. I called a meeting, explained it, and I'm happy to say the management "got it", and allowed me the extra time necessary to design it so as to tighten down the security on the files.

    And yes, it's a web application.

  • my name is missing (unregistered) in reply to Reweave

    Having worked for a local university for 5 weeks, I found exactly the same kind of problem with db id's in the url. For an app they wrote that the state required to "prove" that state money was actually spent on the correct items (and thus if lost the university would get no money at all from the state) I found I could easily delete the entire database from the browser. The same app also was accessible from a master login page which passed the username and password in a get url for "single signon".

    Needless to say I left quickly...


  • (cs) in reply to Dazed
    Anonymous:
    Anonymous:
    This is pretty much par for the course for web applications. In my experience insecure, poorly-designed web apps are the rule, not the exception. This doesn't make me scream "WTF!", just roll my eyes.
    It would have made me scream WTF until fairly recently but yes, it is awfully common.

    Speaking as someone who put up with a team of web "programmers" for much longer than I wish I had, I must agree as well.  It's par for the course.

    This seems like an appropriate time to remind people of (or introduce them to) the "Unskilled and Unaware" paper:  http://www.apa.org/journals/features/psp7761121.pdf
  • rocksanddirt (unregistered) in reply to asuffield

    Im no lawyer, but Im willing to think a simple backdoor such as this has potential for a lawsuit. I winder if it could be seen as violating personal information under FISMA, or perhaps the new law requiring software managers to report potential security breaches to the users who have personal information at stake?

    After all, the records hold a wealth of personal information beyond letters of recommendation and GPAs...

  • (cs)
    Anonymous:

    Sad, but hardly unexpected.

    Tom is probably the guy who be coding all the sql-injection-enabled pages we will see next year here in TDWTF.

    I doubt that. There are so many sql-injection vulnerable web sites, one programmer could never make them all in his entire lifetime.
  • (cs)

    Est. 19NaN, LOL

    Is that new? I must have just seen that for the first time.

  • (cs)

    Once upon a time in a galaxy far away there was a cell phone company with it's very own WAP-based news service. The name of the galaxy was Hungary, the name of the company is not particularly noteworthy. Anyway, it wasn't a big company, imagine some 500K users or so. Once we happened to copy one of their WAP news links into a plain web browser. It was something like http://wap.wtfgsm.hu
    /foo/news/news.jsp?id=12345. It worked as nobody bothered to set the firewalls up to only allow requests coming through their WAP gateway. Big deal.

    One of us suggested removing the news.jsp part and surpsisingly we got a directory listing. Interesting, we thought, and proceeded to delete the news/ from the end of our url. Another listing appeared, containing directories "news", "admin" and "src". We explored the admin section, resisted the temptation to post bogus news items or delete all the existing ones. After seeing what we've seen, somehow we were not so eager to steal the source code either.

  • (cs)

    Well this sure gave me a bit of a scare (before I got to the last paragraph).

    I am about to apply to grad school, and they strongly encourage using the electronic application.

  • MVP (unregistered)
    Alex Papadimoulis:

    Tom response, "Well, you were only able to access them because you're familiar with the technical details of the system. No one else would ever be able to actually figure that out on their own.



    I would have gone straight over his head to the Registrar's office.  If it is was not a good idea for me (in that I'd lose my job), I'd get one of my friends to report it to the registrar.  Get ready to jump all over me for this post... wait for it... wait for it... GO!
  • hyfe (unregistered)

    I'm a little surprised that the consensus among you US people seem to be that is not uncommon at all in your universities. Is it really that bad? Why?

    Here in Norway, the core IT-administration at the universities is usually top-notch. Barring a few bad apples here and there (most usually business-grad types) who make some weird managment decision regarding platforms everything is run by geeks who know what they're doing. The level of competence just seem to be ridicilously high.. as it should be, as you have an ample supply of geeks who need part-time jobs, aswell as an ample supply of graduates with girlfriends on campus who really wouldn't mind staying at the university a few more years.

  • Stu (unregistered)

    A couple of years back I did some contact work for a UK Fund Manager and looked discovered a huge (DOS-type) hole in their on-line fund management application. All of the account numbers were allocated sequentially, so find out one number and you could deduce them all. This alone wouldn't allow you to access anybody else's account details, but if you tried the account number and got your password wrong 3 times it would lock your account - and you'd have to phone up the "helpdesk" to get it unlocked. So, it doesn't take a rocket scientist to figure out a way to launch a DOS attack on the helpdesk! ;-)

  • MVP (unregistered) in reply to hyfe
    Anonymous:

    Here in Norway, the core IT-administration at the universities is usually top-notch. Barring a few bad apples here and there (most usually business-grad types) who make some weird managment decision regarding platforms everything is run by geeks who *know* what they're doing.  The level of competence just seem to be ridicilously high..


    I call bullsh*it... and forgive me for saying, these statements seem a little arrogant.  Maybe this is true at your university, but I bet you a million bucks it is not the norm.
  • (cs)

    Wouldn't pdf files laying around that get scanned by search engines?

  • David (unregistered)

    Is this the same 'Tom' I have on my friends list over at MySpace?

    captcha: billgates

  • Oh My! (unregistered) in reply to MVP
    Anonymous:
    Alex Papadimoulis:

    Tom response, "Well, you were only able to access them because you're familiar with the technical details of the system. No one else would ever be able to actually figure that out on their own.



    I would have gone straight over his head to the Registrar's office.  If it is was not a good idea for me (in that I'd lose my job), I'd get one of my friends to report it to the registrar.  Get ready to jump all over me for this post... wait for it... wait for it... GO!

    IMHO, you are correct - I would have done the same!

  • (cs) in reply to Raven
    Raven:
    Wouldn't pdf files laying around that get scanned by search engines?

    Maybe, maybe not. PDFs created by a flatbed-scanner might be just images, not text, so there is nothing to scan.
  • (cs) in reply to MVP
    Anonymous:

    Here in Norway, the core IT-administration at the universities is usually top-notch. Barring a few bad apples here and there (most usually business-grad types) who make some weird managment decision regarding platforms everything is run by geeks who *know* what they're doing.  The level of competence just seem to be ridicilously high..

    You won't be saying that once WTFU finishes their Oslo and Trondheim campuses.

  • (cs) in reply to Raven
    Raven:
    Wouldn't pdf files laying around that get scanned by search engines?
    Even if the pdf files are publicly accessible, the crawlers still need to find their way there. So, unless (until?) they're linked from somewhere else, probably not.
  • (cs)

    Here is an even bigger wtf:

    http://www.portabledocuments.co.uk/download.asp?file=C:/webroot/LocalUser/br4589/Website/send.asp

    Please dont drop the table before i can show this to my friend

  • ADT (unregistered) in reply to hyfe
    Anonymous:
    Barring a few bad apples here and there (most usually business-grad types) who make some weird managment decision regarding platforms everything is run by geeks who *know* what they're doing.

    You obviously wanted to write "geeks who think they know what they're doing". Proper security requires a level of experience that most students did not yet obtain. Being able to write an awk script does not make you a great and adorable h4x0r. And many universities don't bother to hire expensive "pros" when they can have so many computer-savvy students for pocket money.

    That said, I hope that the true Toms are rare even among unexperienced youth. I really do.

  • (cs) in reply to petvirus
    petvirus:
    Here is an even bigger wtf:

    http://www.portabledocuments.co.uk/download.asp?file=C:/webroot/LocalUser/br4589/Website/send.asp

    Please dont drop the table before i can show this to my friend


    Oh, sweet Jesus.

    You can download their .mdb file.
  • rune (unregistered)

    Hehe, great Spaceballs reference ;)

  • Steve L. (unregistered) in reply to hyfe
    Anonymous:
    Here in Norway, the core IT-administration at the universities is usually top-notch.

    How do you know?
  • Waggs (unregistered)

    In my undergrad work, I prototyped a student enrollment system:

    Student Processing, Enrollment and Registration Management System.

    Instructor got a chuckle from it.

    Waggs

     

  • Christoffer (unregistered)

    I like Tom. Tom is my new role model. When I grow up I want to be just like him.

    Yes, really.

  • John Kugelman (unregistered) in reply to Unklegwar
    Anonymous:
    Side WTF here...what's with the ubiquitous attitude among posters on this forum that their experience is sooooo encompassing that they can make comments like "most blah blah blah sucks" or "almost all blah blah blah is insecure". What egos!

    Quite a stretch to assume that your vast experience (sounds a lot like Tom, actually) qualifies you to evaluate what is par for web applications in general. I'm quote confident that your exposure to web applications is but a drop in the bucket of all web applications.


    This is how it is. I'm not being arrogant, just honest. I am not saying that I can authoritatively claim that X% of web apps are poorly written, but what I can say is that of the code I am exposed to, very, very little of it is well-written.

    Sites written in PHP tend to be open to all kinds of code injection attacks. SQL injection is common, but even more so are cross-site scripting vulnerabilities--that is, programmers not properly escaping their variables when they output to the page, via htmlentities() or what have you.

    In Java or C# I see a lot of crazy threading problems. Awful session abuse. Statefulness where statelessness would work better. The frameworks in these languages tend to hide the underlying HTML/HTTP layer, and I think "enterprise-level" developers are more prone to not understanding what exactly is getting sent back and forth. They'll have huge problems trying to set cookies or get their damn login info to get in their damn session.

    People copy and paste JavaScript into their applications. It's pretty safe to say that any JavaScript code examples you find via a Google search are going to be horrible. Unless you get lucky and Dean Edwards's site, for example, pops up. Amateur web programmers will confuse server-side and client-side code, and will do things in JavaScript that really need to be done server-side.

    Again, I'm not being arrogant. I think all of this is a consequence of so much web app code being open source or scripted. I think programmers share PHP, Perl, and JavaScript much more readily than, say, C++, simply because it's all very very open and accessible. And it leads to lots of very poor sites showing off insecure code snippets. Plus web programming leads to more of a "hack away until it works" style of development than traditional programming, I suppose because you don't really run the risk of crashing your computer or anything like that.

    So yeah, this is very much par for the course. It takes maybe 3 lines of code to take an uploaded file and save it off in a directory. To secure it would require a lot of authentication code, running hundreds of lines, probably some web server configuration, which is always a nightmare, assuming you are even able to do that, and so on. Yes, today's WTF is a big security hole, but it's not shocking at all. That's all I'm saying.
  • (cs) in reply to hyfe
    Anonymous:
    Here in Norway, the core IT-administration at the universities is usually top-notch. Barring a few bad apples here and there (most usually business-grad types) who make some weird managment decision regarding platforms everything is run by geeks who *know* what they're doing. The level of competence just seem to be ridicilously high.. as it should be, as you have an ample supply of geeks who need part-time jobs, aswell as an ample supply of graduates with girlfriends on campus who really wouldn't mind staying at the university a few more years.


    Damn, the computer nerds in Norway have girlfriends?  I knew I should have studied abroad.
    (Commencing "study a broad" jokes in 3.... 2.... 1....)

  • (cs) in reply to ADT
    Anonymous:
    Anonymous:
    Barring a few bad apples here and there (most usually business-grad types) who make some weird managment decision regarding platforms everything is run by geeks who *know* what they're doing.

    You obviously wanted to write "geeks who think they know what they're doing". Proper security requires a level of experience that most students did not yet obtain. Being able to write an awk script does not make you a great and adorable h4x0r. And many universities don't bother to hire expensive "pros" when they can have so many computer-savvy students for pocket money.

    That said, I hope that the true Toms are rare even among unexperienced youth. I really do.



    According to my experience, 90% of security is about common sense and keeping some basic rules in mind. The remaining 10% is really good understanding of the underlying algorithms, being uptodate with the latest exploits and patches and experience. All this in strict order: if you lack the former ones no matter how good you are in the latter, you're screwed.

  • JL (unregistered)
    Alex Papadimoulis:
    Tom response, "Well, you were only able to access them because you're familiar with the technical details of the system. No one else would ever be able to actually figure that out on their own. But, go ahead and work on those other issues you found."

    Wow, talk about short-sighted... It would only take one mistyped URL to uncover the hole -- no technical knowledge at all.  This goes beyond "security through obscurity" into the realm of "I sure hope no one clicks that admin link that I made the same color as the background."
  • Martin (unregistered)

    Well, there is a common saying: Those who can't do, teach.

    When I was looking at going to the local university I was advised that community colleges had better courses and teachers because the university was full of tenured professors who only knew older technologies, while the community colleges had fresh instructors teaching modern technologies.

    I ended up getting my education from book stores anyway.

  • (cs)
    Anonymous:
    @AdamK: It gets better.

    http://www.portabledocuments.co.uk/send.asp?cid=NULL%20OR%201=1

    You can probably do better.



    Ok, who took down the site.  I can't see any of the fun now.  :(

  • (cs)

    I had a similar story while back ago. Thing was that the uni where I study has a big ldap db to store all the students data, passwords, privilegs and who knows whate else. There are some linux labs aswell. Say, fodora standard installation, thing is this starts sendmail during the bootime...its FREAKING anoying, so I went like "hey lemme turn this sh*t off" as it has no real use in there. So I go single user mode, wow no password prompt - smashing. Then but hey...how does it know my password...oh there is pam-ldap thingy wow...oh hey there is plaintext db ldap pass in the config. Simple...I went to speak to somone who I thought WILL understand my concern...he didn't. I was told they dont mind....cuz there are no students who can do this... except me...pretty cool, isnt it? I had to literally FORCE the other guy to take care of this issue.

  • (cs)

    you gotta love these guys who "get paid a lot" to do their job. I usually find that they are getting paid more than any of the uni grads that are working there, but once you leave and get a real job, they're actually getting paid probably half of what the average first year grad is getting paid.

  • (cs) in reply to smbell

    dammit. I get home from work and you broke the site.

  • P. Dantic (unregistered)

    "Ideally, technical debates are resoled when one side..." should be "resolved".

Leave a comment on “Apply Yourself ... at WTFU”

Log In or post as a guest

Replying to comment #:

« Return to Article