- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
This is pretty much par for the course for web applications. In my experience insecure, poorly-designed web apps are the rule, not the exception. This doesn't make me scream "WTF!", just roll my eyes.
Admin
Well I do certainly believe it couldn't.
Admin
Sadly this kind of "no one will figure it out" mentality is all to common. You can do everything in your power to protect your identity, but idiots like this will always give your information away freely to anyone with two working brain cells.
Admin
Reminds me of Yale's stellar online admissions... that was cracked by Princeton admissions officers who were not technical enough to have an electronic application process themselves.
Admin
I agree 100%
The company I work for purchased a one-man web company a couple years ago. Among the atrocities we found was an online store site that stored plain text credit card numbers in a web accessable directory
Admin
Well, if the PDFs were stored in a publicly accessable directory was there anyway to upload them? Changing one bad grade in your own school's system is one thing. Changing your entire transcript and polishing the letters of recommendation before the grad admission committee gets a look would be a total coup!
Admin
I think he isn't aware of the "rest of the world", you know, outside your basement ^_^
I hope his manual process was safer, maybe they did scan his document, shred and archive them ;)
Admin
Here in the UK, you can sue idiots like this for giving your information away.
Admin
Security through obscurity I say!
I mean honesty, what are the chances they would think to increment 234.pdf
Quit getting your panties in a bunch.
-Tom
Admin
Wow, this is such a simple "hack"? (Can you call this a hack)
This guy should be demoted to be under the command of some student.
--doc0tis
Admin
It would have made me scream WTF until fairly recently but yes, it is awfully common.
OTOH, the fact that it is common doesn't make it any less appalling. If a company wants to screw itself up, that's its own business, but if it's screwing other people like this, I think I'd play it hard:
Admin
i am the "TOM" you speak of and i don't appreciate the lies you print
Admin
A little boring story
I bet Tom's 10+ years of experience is a bluff to make this story more "wtf-worthy"
Mike Rod
Admin
Introduction to what students will find in the Real World, indeed.
Admin
If ONLY this happened decades earlier! THEN, I could blame tom for creating "child proof" caps! They take a half second or so to open, sometimes break, and NEVER keep any half way intelligent child out! But DON'T WORRY....Tom would probably say "But kids can't read until 3rd grade, and will NEVER figure it out!"! Never mind that both statements are false.
It's a pity. Jims advice was simple to implement, would require almost no code changes, etc... He COULD have suggested writting a report program, and having the data sent to the main office, as should have been done in the first place. Less hassle/work and more security.
Steve
Admin
Side WTF here...what's with the ubiquitous attitude among posters on this forum that their experience is sooooo encompassing that they can make comments like "most blah blah blah sucks" or "almost all blah blah blah is insecure". What egos!
Quite a stretch to assume that your vast experience (sounds a lot like Tom, actually) qualifies you to evaluate what is par for web applications in general. I'm quote confident that your exposure to web applications is but a drop in the bucket of all web applications.
Anyway.
This sounds like exactly the scenario issue I recently approached my managers with. After reading thru specs for a file download area of an application, I realized the same thing. Filenames were completely guessable. I called a meeting, explained it, and I'm happy to say the management "got it", and allowed me the extra time necessary to design it so as to tighten down the security on the files.
And yes, it's a web application.
Admin
Having worked for a local university for 5 weeks, I found exactly the same kind of problem with db id's in the url. For an app they wrote that the state required to "prove" that state money was actually spent on the correct items (and thus if lost the university would get no money at all from the state) I found I could easily delete the entire database from the browser. The same app also was accessible from a master login page which passed the username and password in a get url for "single signon".
Needless to say I left quickly...
Admin
Speaking as someone who put up with a team of web "programmers" for much longer than I wish I had, I must agree as well. It's par for the course.
This seems like an appropriate time to remind people of (or introduce them to) the "Unskilled and Unaware" paper: http://www.apa.org/journals/features/psp7761121.pdf
Admin
Im no lawyer, but Im willing to think a simple backdoor such as this has potential for a lawsuit. I winder if it could be seen as violating personal information under FISMA, or perhaps the new law requiring software managers to report potential security breaches to the users who have personal information at stake?
After all, the records hold a wealth of personal information beyond letters of recommendation and GPAs...
Admin
Admin
Est. 19NaN, LOL
Is that new? I must have just seen that for the first time.
Admin
Once upon a time in a galaxy far away there was a cell phone company with it's very own WAP-based news service. The name of the galaxy was Hungary, the name of the company is not particularly noteworthy. Anyway, it wasn't a big company, imagine some 500K users or so. Once we happened to copy one of their WAP news links into a plain web browser. It was something like http://wap.wtfgsm.hu
/foo/news/news.jsp?id=12345. It worked as nobody bothered to set the firewalls up to only allow requests coming through their WAP gateway. Big deal.
One of us suggested removing the news.jsp part and surpsisingly we got a directory listing. Interesting, we thought, and proceeded to delete the news/ from the end of our url. Another listing appeared, containing directories "news", "admin" and "src". We explored the admin section, resisted the temptation to post bogus news items or delete all the existing ones. After seeing what we've seen, somehow we were not so eager to steal the source code either.
Admin
Well this sure gave me a bit of a scare (before I got to the last paragraph).
I am about to apply to grad school, and they strongly encourage using the electronic application.
Admin
I would have gone straight over his head to the Registrar's office. If it is was not a good idea for me (in that I'd lose my job), I'd get one of my friends to report it to the registrar. Get ready to jump all over me for this post... wait for it... wait for it... GO!
Admin
I'm a little surprised that the consensus among you US people seem to be that is not uncommon at all in your universities. Is it really that bad? Why?
Here in Norway, the core IT-administration at the universities is usually top-notch. Barring a few bad apples here and there (most usually business-grad types) who make some weird managment decision regarding platforms everything is run by geeks who know what they're doing. The level of competence just seem to be ridicilously high.. as it should be, as you have an ample supply of geeks who need part-time jobs, aswell as an ample supply of graduates with girlfriends on campus who really wouldn't mind staying at the university a few more years.
Admin
A couple of years back I did some contact work for a UK Fund Manager and looked discovered a huge (DOS-type) hole in their on-line fund management application. All of the account numbers were allocated sequentially, so find out one number and you could deduce them all. This alone wouldn't allow you to access anybody else's account details, but if you tried the account number and got your password wrong 3 times it would lock your account - and you'd have to phone up the "helpdesk" to get it unlocked. So, it doesn't take a rocket scientist to figure out a way to launch a DOS attack on the helpdesk! ;-)
Admin
I call bullsh*it... and forgive me for saying, these statements seem a little arrogant. Maybe this is true at your university, but I bet you a million bucks it is not the norm.
Admin
Wouldn't pdf files laying around that get scanned by search engines?
Admin
Is this the same 'Tom' I have on my friends list over at MySpace?
captcha: billgates
Admin
IMHO, you are correct - I would have done the same!
Admin
Maybe, maybe not. PDFs created by a flatbed-scanner might be just images, not text, so there is nothing to scan.
Admin
You won't be saying that once WTFU finishes their Oslo and Trondheim campuses.
Admin
Admin
Here is an even bigger wtf:
http://www.portabledocuments.co.uk/download.asp?file=C:/webroot/LocalUser/br4589/Website/send.asp
Please dont drop the table before i can show this to my friend
Admin
You obviously wanted to write "geeks who think they know what they're doing". Proper security requires a level of experience that most students did not yet obtain. Being able to write an awk script does not make you a great and adorable h4x0r. And many universities don't bother to hire expensive "pros" when they can have so many computer-savvy students for pocket money.
That said, I hope that the true Toms are rare even among unexperienced youth. I really do.
Admin
Oh, sweet Jesus.
You can download their .mdb file.
Admin
Hehe, great Spaceballs reference ;)
Admin
How do you know?
Admin
In my undergrad work, I prototyped a student enrollment system:
Student Processing, Enrollment and Registration Management System.
Instructor got a chuckle from it.
Waggs
Admin
I like Tom. Tom is my new role model. When I grow up I want to be just like him.
Yes, really.
Admin
This is how it is. I'm not being arrogant, just honest. I am not saying that I can authoritatively claim that X% of web apps are poorly written, but what I can say is that of the code I am exposed to, very, very little of it is well-written.
Sites written in PHP tend to be open to all kinds of code injection attacks. SQL injection is common, but even more so are cross-site scripting vulnerabilities--that is, programmers not properly escaping their variables when they output to the page, via htmlentities() or what have you.
In Java or C# I see a lot of crazy threading problems. Awful session abuse. Statefulness where statelessness would work better. The frameworks in these languages tend to hide the underlying HTML/HTTP layer, and I think "enterprise-level" developers are more prone to not understanding what exactly is getting sent back and forth. They'll have huge problems trying to set cookies or get their damn login info to get in their damn session.
People copy and paste JavaScript into their applications. It's pretty safe to say that any JavaScript code examples you find via a Google search are going to be horrible. Unless you get lucky and Dean Edwards's site, for example, pops up. Amateur web programmers will confuse server-side and client-side code, and will do things in JavaScript that really need to be done server-side.
Again, I'm not being arrogant. I think all of this is a consequence of so much web app code being open source or scripted. I think programmers share PHP, Perl, and JavaScript much more readily than, say, C++, simply because it's all very very open and accessible. And it leads to lots of very poor sites showing off insecure code snippets. Plus web programming leads to more of a "hack away until it works" style of development than traditional programming, I suppose because you don't really run the risk of crashing your computer or anything like that.
So yeah, this is very much par for the course. It takes maybe 3 lines of code to take an uploaded file and save it off in a directory. To secure it would require a lot of authentication code, running hundreds of lines, probably some web server configuration, which is always a nightmare, assuming you are even able to do that, and so on. Yes, today's WTF is a big security hole, but it's not shocking at all. That's all I'm saying.
Admin
Damn, the computer nerds in Norway have girlfriends? I knew I should have studied abroad.
(Commencing "study a broad" jokes in 3.... 2.... 1....)
Admin
According to my experience, 90% of security is about common sense and keeping some basic rules in mind. The remaining 10% is really good understanding of the underlying algorithms, being uptodate with the latest exploits and patches and experience. All this in strict order: if you lack the former ones no matter how good you are in the latter, you're screwed.
Admin
Wow, talk about short-sighted... It would only take one mistyped URL to uncover the hole -- no technical knowledge at all. This goes beyond "security through obscurity" into the realm of "I sure hope no one clicks that admin link that I made the same color as the background."
Admin
Well, there is a common saying: Those who can't do, teach.
When I was looking at going to the local university I was advised that community colleges had better courses and teachers because the university was full of tenured professors who only knew older technologies, while the community colleges had fresh instructors teaching modern technologies.
I ended up getting my education from book stores anyway.
Admin
Ok, who took down the site. I can't see any of the fun now. :(
Admin
I had a similar story while back ago. Thing was that the uni where I study has a big ldap db to store all the students data, passwords, privilegs and who knows whate else. There are some linux labs aswell. Say, fodora standard installation, thing is this starts sendmail during the bootime...its FREAKING anoying, so I went like "hey lemme turn this sh*t off" as it has no real use in there. So I go single user mode, wow no password prompt - smashing. Then but hey...how does it know my password...oh there is pam-ldap thingy wow...oh hey there is plaintext db ldap pass in the config. Simple...I went to speak to somone who I thought WILL understand my concern...he didn't. I was told they dont mind....cuz there are no students who can do this... except me...pretty cool, isnt it? I had to literally FORCE the other guy to take care of this issue.
Admin
you gotta love these guys who "get paid a lot" to do their job. I usually find that they are getting paid more than any of the uni grads that are working there, but once you leave and get a real job, they're actually getting paid probably half of what the average first year grad is getting paid.
Admin
dammit. I get home from work and you broke the site.
Admin
"Ideally, technical debates are resoled when one side..." should be "resolved".