• Faceless Coward (unregistered)

    What amuses me the most in this site is the WTF-a-thon that happen in the comments. Man, what a display of self-inflicting WTF's. And I'm guilty as charged.

  • BAReFOOt (unregistered) in reply to --Tei
    Anonymous:
    //IMHO sould be something like that:

    $post["name"] = $_POST["name"];

    $sql["name"] = mysql_real_escape($post["name"]);
    $sql = 'SELECT IdUser FROM dat_users WHERE Name="'+ $sql["name"] + '"';


    now

    $sql == 0

    !!!

    P.S.: PHP concatenates strings with "." ;P
  • Maurits (unregistered) in reply to Will
    Anonymous:
    Anonymous:
    Say hello to PHP.  IMHO, this problem could have been solved better with Javascript.  It's better to offload some of the validation on the client-side. That leaves the server free to perform other, more critical tasks... such as echoing the contents of the credit card table to my screen.

    Please say that's a joke :/


    What do you want, a big flashing neon sign?
  • heyrockywatchmepullarabbitoutofmyhat (unregistered) in reply to Maurits

    I had no problem picking up on that, but then I did get a 700 on my GRE verbal :-/

  • (cs) in reply to joe bruin
    Anonymous:
    As such, I have no worries about outsourcing, and neither should any good developer.


    That's what many of my friends in the manufacturing industry said when containers never turned up or the parts didn't have a single thing in common with the spec. Many companies worked out how to get around most of the problems. Today a company that doesn't outsource at least part of its production is very rare indeed.
  • (cs)
    Alex Papadimoulis:

    After a few hours of digging through the code for the first time, the in-house team spotted where the problem was.

    This is a minor WTF as well.   A recursive grep of the error message should have pinpointed this problem in just a few minutes.

  • Kiss me, I'm Polish (unregistered) in reply to Faceless Coward

    The language is not important, you can mess up everything in any language if you're talented enough.
    Also - what's the problem with the dollar signs in the variable names? It's there for a reason, it's useful, and it's specific to the language, like ":=" in Pascal or "void main(void)" in C. Get over it. You're neither funny nor smart.

  • (cs) in reply to Kiss me, I'm Polish

    Anonymous:
    The language is not important, you can mess up everything in any language if you're talented enough.
    Also - what's the problem with the dollar signs in the variable names? It's there for a reason, it's useful, and it's specific to the language, like ":=" in Pascal or "void main(void)" in C. Get over it. You're neither funny nor smart.

    I think he was saying that if a variable name contains a $, it's a dead give away that the code is not C#.  You can't declare a variable with $ anywhere in the name.  (I just tried it.) 

  • (cs) in reply to Kiss me, I'm Polish

    Kiss me:
    The language is not important, you can mess up everything in any language if you're talented enough.

    <FONT face="Courier New" size=2><babbling verbose="on" admin="true" sqlInjection="off"></FONT>

    <FONT style="BACKGROUND-COLOR: #f5f5dc" color=#ff0000>That's true!  I create really fine messes on a daily basis in Java, Perl, as well as VB6! Managers love it, too!  They ask for it by name. :)</FONT>

    <FONT style="BACKGROUND-COLOR: #f5f5dc" color=#ff0000>Gotta love that automation though - it gets you to that *wrong* answer that much quicker.  </FONT>

    <FONT style="BACKGROUND-COLOR: #f5f5dc" color=#ff0000>However, don't get me started on my shenanigans with dBase III & Clipper! Those were the days. ;)</FONT>

    <FONT face="Courier New" size=2></babbling></FONT>

  • (cs) in reply to Gene Wirchenko
    Gene Wirchenko:
    Bus Raker:
    eddieboston:
    On a meta-note, why is it that everybody becomes "Anonymous" when I click the "quote" button?

    (not to start the whole "the real WTF is the forum software" thing again...)

    If they haven't logged in but only supplied a name, they will become 'anonymous'.  Notice how my 'first' post which was deleted by Gene Wirchenko (sincerely I am sure) still has my login in my second and now first post.


    Alex does not like the "First!" posts.  Your second post was marginal.

    Sincerely,

    Gene Wirchenko

    The problem with the world these days is no one wants to have any fun.  In a day and age where you can get a dual MSCE/CEH (Ethical Hacking) certification ... I will try to be insightful in subsequent first posts. ;

    _'; DROP TABLE users; --

     

    guess the forum software is safe :-)

    <FONT style="BACKGROUND-COLOR: #dddddd" color=#ff0000></FONT> 

  • BAReFOOt (unregistered) in reply to Bob
    Anonymous:
    Diet pepsi out the nose hilarious.


    Ha. You know that this stuff is more dangerous than cigarettes, right? Aspartam is a potential biochemical "WMD" from a - in my eyes criminal - company ("Monsanto") that creates such stuff for the government.
  • The Anonymous Coward (unregistered) in reply to shaggz
    shaggz:
    Alex Papadimoulis:

    After a few hours of digging through the code for the first time, the in-house team spotted where the problem was.

    This is a minor WTF as well.   A recursive grep of the error message should have pinpointed this problem in just a few minutes.

    They weren't just after this bug; they were supposed to fix all remaining bugs (which of course we all realize means all remaining known bugs)...  So while they could've started with pinpoint searches for known bugs, I wouldn't call it a WTF to instead just start by becoming familiar with the code base in general.  In fact, at this point I would have low enough confidence in the code that, having been given responsibility for it, I would be inclined to think of pinpoint bug searches as a poor use of my time.

  • Maurits (unregistered) in reply to Bus Raker
    Bus Raker:
    _'; DROP TABLE users; --

     guess the forum software is safe :-)

    Ah, so that's why I can't log in...
  • WTF? (unregistered) in reply to BAReFOOt

    Tinfoil hat! Ready...and...conspiracy!

    First off, it's spelled "aspartame". (Unless there's a weaponizable biotoxin out there actually named "aspartam", in which case you have my apologies.)

    Where, exactly, does "creates such stuff for the government" fit in? Aspartame is sold COMMERCIALLY around the world and very clearly advertised as such. Where's the conspiracy here? Or is "works with the government" nutjob-slang for "teh evil corporation"?

  • The Anonymous Coward (unregistered)

    There's plenty to be said about the hidden costs of outsourcing.  Someone said the cost of high-quality software development is the same anywhere in the world.  The implication is that cheap outsourcing is a way to buy low-quality development; and I agree.

    Of course, we should not be deluded into thinking that every American developer is a good developer.  I've seen local folk who are every bit as bad as these overseas developers -- that is, they (a) don't understand security (i.e. wouldn't have recognized the injection threat in the original version of the code); (b) would convince themselves that they could roll their own solution without reading up on the subject; and (c) would write a "fix" consisting of a sloppy hack without considering its side-effects.

    As an aside, I think this is what makes outsourcing appear attractive.  Sure the cost of good development is the same everywhere, but the cost of sloppy hacking is much higher if it's done here in the USA.  Since management often fails to see the difference between the two, outsourcing can appear to be a good deal.  I'm convinced it will die out when -- and only when -- management catches on that it's attacking the wrong problem.  The high cost isn't the problem -- the low quality is.  They need to learn to tell the difference between high- and low-quality development amongst the on-shore ranks.

    But I digress.  My point was, while outsourcing does introduce new problems into the process -- having to do with communication mostly -- none of those new problems really enter into this WTF; so the real WTF is dragging the whole hot-button "outsourcing" issue into this story.  We're told that the project also suffered from communication problems due to outsourcing, and I guess we're supposed to think that the failure of the overseas team to read the provided article about injection was in that class of problem, but it's not.

  • merreborn (unregistered) in reply to Sizer
    Anonymous:
    > Even for overseas programmers that is shameful.

    You think so? It's indented and legible, which is more than we've gotten back from outsourced overseas programmers.

    Seriously. C/Java with no indenting whatsoever. Would that waste precious disk space?



    It gets worse.  We had a guy who wrote a 50 line javascript function in echo'd PHP statements, unindented.

    i.e.


    echo "function do_validate(myvar)";
    echo "{";
    echo "if (myvar = 'constant')";
    echo "do_things();";
    echo "}";


    etc. etc.

    We dropped the whole outsourcing idea pretty quickly after that.
  • Lemons are Sour (unregistered) in reply to Kiss me, I'm Polish

    While I love php, and think it is a great language, it also lends itself to really bad coding practices. There is a severe lack of consistency in the API, and it is hindered by an obligation to backwards compatability. It is very easy to do something stupid in PHP.

  • Anonymoose Custard (unregistered) in reply to merreborn

    <font face="Verdana" size="2">Alex... I have to ask - why do you still use such useless forum software as Community Server when there are solutions available that actually work? If you could stop gazing adoringly at bill for a moment you may even consider that phpBB is probably the best free one available, and knocks the socks off this pile of shite.

    :)
    </font>

  • sdether (unregistered) in reply to Sizer
    Sizer:
    >
    You think so? It's indented and legible, which is more than we've gotten back from outsourced overseas programmers.

    Seriously. C/Java with no indenting whatsoever. Would that waste precious disk space?



    But it wastes less precious disk space than if there was indenting.
  • Jon (unregistered)

    I haven't had to think about SQL injection in years.

    query("SELECT * FROM Message WHERE user_from = %s AND priority = %i AND public = 1", $_GET['from'], $_GET['priority']);

  • (cs) in reply to toddhilehoffer
    toddhilehoffer:
    That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!

    <font size="5">S</font>eems to be about par-for-the-course for the overseas jobs I've seen:  cut corners, no QA and worst of all--lying to the customer--"Don't worry. we'll fix it."


  • (cs) in reply to Maurits
    Anonymous:
    What makes it worse is that arbitrary SQL can STILL be executed using the

    EXEC( CHAR(##) + CHAR(##) + ... + CHAR(##) )

    trick.  Combine this with xp_cmdshell and life starts to get a little dangerous.

    Oh, and Community Server must die.  Apologies to Cato.

    This forum used to have a similar "fix" for -moz-binding based JavaScript injection attacks, with a similar work-around involving CSS escapes. (It's fixed with the CS 2.0 upgrade - style attributes are totally disabled - so I can safely mention it here.)

  • Rob (unregistered) in reply to Anonymoose Custard
    Anonymous:
    <font face="Verdana" size="2">phpBB is probably the best free one available, and knocks the socks off this pile of shite. </font>


    I'm willing to bet that Alex doesn't want to spend his time applying security fixes every couple weeks.


  • PHP hater (unregistered) in reply to Ram's Bladder Cup

    PHP - Visual Basic of the Unix world

  • Steve Taylor (unregistered)

    > As it turned out, the overseas team didn't read the SQL injection article,
    > so they invented their own protection scheme that discriminates against
    > Set
    h, Amanda, and George ...

    I'm glad to see a bit of balance in reporting after yesterday's nasty anti-Steve article. Death to Seth, Amanda and George!


                              Steve

  • Matthias (unregistered)

    Well, I must say that Alex made this submission a little more dramatic than it was in reality. The subcontractors weren't overseas, the second paraph is completely new to me (I submitted this) and the turnaround time after the initial report wasn't "several weeks" but about 18 hours.

    Anyway, I almost like it better this way.

  • argh (unregistered) in reply to Rob
    Anonymous:
    Anonymous:
    <font face="Verdana" size="2">phpBB is probably the best free one available, and knocks the socks off this pile of shite. </font>

    I'm willing to bet that Alex doesn't want to spend his time applying security fixes every couple weeks.


    Yeah, as if this crapware is far more secure :p

    If you're willing to spend some bucks I'd recommend vBulletin.
  • (cs) in reply to argh
    Anonymous:
    Anonymous:
    Anonymous:
    <font face="Verdana" size="2">phpBB is probably the best free one available, and knocks the socks off this pile of shite. </font>

    I'm willing to bet that Alex doesn't want to spend his time applying security fixes every couple weeks.


    Yeah, as if this crapware is far more secure :p

    If you're willing to spend some bucks I'd recommend vBulletin.


    I haven't been having any problems with the Simple Machines Forum, and it seems to be fairly robust.


  • Cthulhon (unregistered)

    Alex's post doesn't make any sense, and I don't mean in the WTF sense.  The summary says that it only reacted to full occurances of strings in $badSqlCode within names, but it has brackets instead of parentheses, so it would error on almost any name (since all the vowels are covered).  If we assume that the brackets were a typo on Alex's part when obfuscating, as he has been known to do, then the regex does 'work' after a fasion.  The \s at the start and end will have to match whitespace and thus it would not error on the names with SQL commands in them.  Either the code is wrong or the summary is wrong,  Of course, there's still the WTF that they didn't use prepared statements, or at the very least mysql_real_escape_string.

  • (cs) in reply to Calophi

    Wow, quick reply on this forum is another WTF.

    Anyway, argh, this one just burn in places that shouldn't burn. I was always careful to cover my ass for SQL explication attacks, but shouldn't these guys try proceedures (although considering they're probably using mySQL, I suspose not :-/)

  • Mark H (unregistered) in reply to Michael Casadevall

    Not to be one of those guys who submits a "the real WTF is..." post, but the real WTF is that they continued to use overseas programmers after they realized they had no idea what sql injection means.

    I'm all for learning on the job, but you shouldn't be learning on code that's going into production.

  • k bob (unregistered)

    I'd have more to say about this awesome WTF, except that I've got to go and use SQL injection to break into some Indian banks right now...

  • Matt (unregistered) in reply to Bob

    Pepsi Max is better

  • Seth (unregistered) in reply to Zic
    Anonymous:
    toddhilehoffer:
    That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!


    Say hello to PHP.  IMHO, this problem could have been solved better with Javascript.  It's better to offload some of the validation on the client-side. That leaves the server free to perform other, more critical tasks... such as echoing the contents of the credit card table to my screen.


    Some of the coments over here are the real wtf. What programming language does know "Anonymous"? It is obvious not C# among them (it does not even know its sintax). Nor PHP.
    Not to mention the wise guy who would perform security tasks using JavaScript, which can be disabled with a few clicks (see for example "The spider  of doom").
    Many of the ones who post messages here should post them to a basic programming course. Beleveing that you have the right to post here is the real WTF!!!
  • Rob (unregistered) in reply to Seth

    The Javascript post was a joke. He  was not being serious.

  • DJ Mike B (unregistered) in reply to WTF Batman

    D'Oh :-)

  • Masklinn (unregistered) in reply to Anonymoose Custard
    Anonymous:
    <font face="Verdana" size="2">Alex... I have to ask - why do you _still_ use such useless forum software as Community Server when there are solutions available that actually work? If you could stop gazing adoringly at bill for a moment you may even consider that phpBB is probably the best free one available, and knocks the socks off this pile of shite.

    :)
    </font>

    Yeah except no, PHPbb is just as big of a steaming pile of shit as CS, it's just that it's written in PHP and not in .Net

    PunBB, on the other hand, is clearly in another ballpark, on every count (including the quality of the HTML output).

  • Kreiger (unregistered)

        I get it. The WTF is that it's written in PHP!

  • a (unregistered) in reply to Digitalbath
    Digitalbath:

    Anonymous:
    or "void main(void)" in C.

    Mr. C expert I presume?

  • Philipp Keller (unregistered)

    Did they really spot the error with that?
    When I try this at home
    checkForBadSql('George')
    gets 1, that means the preg_match didn't match and the function tells me that the SQL isn't bad.

    I fear something is terribly wrong here. The WTF is that they spotted the wrong error.. or am I terribly mistaken here?

  • RichNFamous (unregistered)

    No, no, no...I don't know whether to laugh, cry, or poke my eyes out.

  • HwAoRrDk (unregistered) in reply to Jon

    Anonymous:
    I haven't had to think about SQL injection in years. query("SELECT * FROM Message WHERE user_from = %s AND priority = %i AND public = 1", $_GET['from'], $_GET['priority']);

    Oh yes? Well, think again... Use of sprintf() alone does not combat SQL injection. Here, I fixed it for you:

    mysql_query("SELECT * FROM Message WHERE user_from = '%s' AND priority = %d AND public = 1", mysql_real_escape_string($_GET['from']), $_GET['priority']);

  • Cheatz (unregistered) in reply to Philipp Keller
    Anonymous:
    Did they really spot the error with that?
    When I try this at home
    checkForBadSql('George')
    gets 1, that means the preg_match didn't match and the function tells me that the SQL isn't bad.

    I fear something is terribly wrong here. The WTF is that they spotted the wrong error.. or am I terribly mistaken here?

    I think you're quite right. The \s and \s in the regular expression actually make the regular espression match if and only if the text contains two whitespace characters, with some junk in between.
    Now I think the real error is the usage of the square brackets [ and ] instead of ( and ). This means that any text that contains two whitespace characters with one or more characters in [abcdehilmnoprstuvw|] (case-insensitive) matches. So "George" doesn't match, "Bla George Bla" doesn't , but "George W Bush is a monkey" does!
  • (cs) in reply to a
    Anonymous:
    Digitalbath:

    Anonymous:
    or "void main(void)" in C.

    Mr. C expert I presume?

    You don't have to be much of an expert to know that void main() isn't legal C.

  • (cs) in reply to Bellinghman
    Bellinghman:
    Anonymous:
    Digitalbath:

    Anonymous:
    or "void main(void)" in C.

    Mr. C expert I presume?

    You don't have to be much of an expert to know that void main() isn't legal C.

    void main() compiles and works on many compilers.

    <font face="Courier New">[erich@localhost erich]$ cat wtf.c
    #include <stdio.h>
    void main() {
            printf("WTF!\n");
    }
    [erich@localhost erich]$ make wtf
    cc     wtf.c   -o wtf
    wtf.c: In function main':<br>wtf.c:2: warning: return type of 'main' is notint'
    [erich@localhost erich]$ ./wtf
    WTF!
    [erich@localhost erich]$
    </font>

  • a (unregistered) in reply to ammoQ
    ammoQ:

    void main() compiles and works on many compilers.

    char *main="\xc3"; also works on some compilers. It does not that C make.

  • Robin (unregistered) in reply to Gnpatton
    Anonymous:
    How can these people understand perl regular expresion syntax but not escaping characters?


    They don't, otherwise they'd not have used a character class. Not only names containing keywords would be caught but also any other name that consists entirely of the characters abcdehilmnoprstuvw - "ronald", "stuart", "susan"...

    And they'd have used a wordbreak (\b) on each side of the word rather than a whitespace (\s).

    Is this WTF fictional? because I can't see this function passing even the most basic tests.

    -robin
  • jim (unregistered) in reply to ammoQ
    ammoQ:
    Bellinghman:

    You don't have to be much of an expert to know that void main() isn't legal C.

    void main() compiles and works on many compilers.


    Those aren't mutually exclusive statements, you know. But here's a little story. A few years ago I went to an interview at an embedded systems shop and was shown some code that started 'void main()'. "A-ha!" says I, being terribly clever, "that's not legal C, it should be int." "A-HA!" came the reply, "only in a hosted implementation. It's legal in a free-standing one."

    According to the standard they were perfectly right. A free-standing implementation such as many embedded systems needn't return int from main(), and indeed needn't have a main() function at all. There might not be anything for it to return to.

    I didn't get the job ;)
  • (cs) in reply to ammoQ
    ammoQ:
    void main() compiles and works on many compilers

    It may indeed do so. But that still doesn't make it legal C. And your compiler correctly points out that you've misdeclared main().

    (Sadly, it seems to be generating some output code, but a compiler is allowed to do that when faced with erroneous code.)

  • (cs) in reply to Seth
    Gameh:

    Some of the coments over here are the real wtf.
    ...

    Many of the ones who post messages here should post them to a basic programming course. Beleveing that you have the right to post here is the real WTF!!!


    Damn straight! Let only the professional and brillIant developers post here. When I think about it, add a requirement to be able to spell correctly too.

Leave a comment on “Injection Rejection”

Log In or post as a guest

Replying to comment #:

« Return to Article