- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
I really wanted to believe that this monumental failure in security couldn't have been done by accident. I am actually at a loss for words.
Admin
first post?
wow. Ive seen people coding open ended sql injections like this (i even did it on a few of my own first lesson websites), but to not know that you can view javascript from a browser, that's scary
Admin
Showing this to a DBA got a long silence, a gasp, then a long groan, pretty cool to watch.
Admin
Could we stop unregistered users posting in the first 3 comments? Would cut out the majority of the "fist!" posts.
And back on topic: Ugh, that code makes my skin crawl.
Admin
Here's an idea for those "first" posts, how about their IP gets blocked. :)
And that code is just sad. Maybe it was a contractor that did it. :)
Admin
Wait wait wait... you view javascript code from the browser? Next thing you are going to tell me is that you can do the same thing with HTML.
Nice try guys, but April Fools was last month.
Admin
Someone should be beaten with a two by four for doing something that stupid.
What if this had been discovered by someone with malicious intent? looks at self Muhahahaaa!
Captcha: craaazy. how appropriate.
Admin
And you know all those images on your web site? Someone can save those to their own computer as well. Even if you put in an anti-right click script.
Admin
The "Real WTF" is surely that he complained to the company and they realised he knew what he was talking about and put him through to someone who could do something about it.
Admin
Not long ago, I was given the task of rewriting an ASP (VBscript) site created in 2003 that had been the victim of SQL injection attacks. The pages were passing querystrings like "user.asp?action=edit&id=1234" and "user.asp?action=add&username=foo". That was the worst SQL injection invitation I'd ever seen until today.
Just months before I was given this task, they were giving me a hard time about how my insistence on using things like type declarations and stored procedures was slowing down development time.
Admin
Those always piss me off. Its kind of fun to disable script, reload, save the file and then email the photo to the site's admins with "Your kung fu is weak."
Admin
Nothing's worse than a client who insists that you make their site un-stealable. I've had "I don't want anybody lifting my copy. Put all the text in images so they can't copy and paste it." "But they could still ocr it, or have a secretary copy it." "Well that makes it harder, so do it anyhow."
Btw - fortunately due to the current market I don't have to take jobs like that anymore. Whew, glad 2000 came and went.
Admin
Not long ago, we were in the process of implementing some HR software. Part of this was on a front end server that acted as a public web server (connecting to confidential HR data in the back end database mind you). Long story short, they were having problems and decided the best way to fix it would be to put the IUSR_Servername (Internet guest account for anonymous access to IIS) in the local admin group on the web server. In a related story, our security guy now has a facial tick. Thankfully, we decided against using their software. Moral of the story: Never assume someone wouldn't do something THAT stupid. Whatever THAT may be (SQL injection, escalated rights, etc)
Admin
IBM's manage now does this... or at lest and older version did. I haven't looked into the most recent one.
Admin
Maybe they should just give users direct access to the database. "If you are placing an order, you must fill out the following tables with your information..."
And another step is taken towards 100% user-modifiable content. This is the future, folks.
Admin
Moving JavaScript to a .NET back-end? That's so Web 1.0! I'll bet that delivery system has almost no Ajax at all now.
The "status" vs. "theStatus" differentiation is also a nice touch. I've seen people try to differentiate between classes and locals this way ("Session theSession = ..."), and that's bad enough, but doing it with two locals takes the cake. That should be a joy for anybody to maintain.
Admin
...... what the suck???? sucking culo
Admin
Really, I gotta say that, Alex, this is one of your lesser editing jobs. Really, the entire code section could have been taken out, and replaced with the phrase "And Moshe discovered that the SQL queries for the site were created using client-side javascript and were wholly vulnerable to SQL injection attacks".
A lot of code reading there for no purpose.
Admin
This sort of reminds me of when I first learned how to create ASP pages. I used an MS Access database and promptly placed it sans-password onto the server in the root web directory. Then in my ASP database include file I wrote a nice HTML comment: <!-- get database from c:\www_root\db.mdb -->
There, now everyone who views the HTML source will know exactly how to download my open database. Perfect.
Admin
You're not acutally reading all that code, right? To me, being confronted with this code greatly enhanced the "shock and awe" effect (i.e. my jaw dropped to the ground completely, instead of halfway only).
Admin
And where's the shock and awe in that ? You can't get a moan from a DBA with a text line...
Seriously, I find most of the stories fun, even if I can't read the code. I'm an engineer, most my work is in C or assembly, so SQL/javascript/<put-your-new-favorite-fancy-tecnology-here> is forein to me.
CAPTCHA: alarm - That should ring a bell, eh ?
Admin
Is your CV online? We're hiring at the moment.
Admin
It's worse than that. Most browsers save that image to disk without even asking the user. Someone needs to do something about all these copyright violating "caches"
Admin
Admin
i'm not even surprised.
one of the developper here was surprised you could see the password in the html source because he had set the field type to "password", that should have prevented it in his mind :\
Admin
Hmm... where do they do that? Will it work if one uses Firefox+Adblock and block off the upper transparent image?
Admin
Admin
Every browser but IE has an easy way to get a hold of media embedded in the page without using right-click. In Firefox, it's called "Page Info" in Tools. Click Tools -> Page Info -> Media, and there's all the images laid out neatly for you. As well as any SWF or MP3s or whatever other media the page might have.
In Safari, it's called "Activity" in the Window menu, IIRC.
Point is, disabling the right-click menu, even if it wasn't easily circumvented, only works in IE in the first place.
(The "Real WTF" is how few people seem to know about the Page Info window in Firefox.)
Admin
Hey this code is in fact 31337!
Admin
To be fair, even Gecko based browsers can have their context menu hijacked, if they allow it.
Admin
Anyone heard of a browser detection script? Disabling right-click can be done in all browsers: http://hyperdisc.unitec.ac.nz/materials/javascript/top10/disablerightclick.htm But, it's nice to know that the author of this script doesn't like right-click disabling as well!
But, as far as I know, the major browsers all let you view HTML source, so it's entirely useless, unless you don't know anything about webpages. Oh.
Probably the best way to hide images is to send a link via ajax, and then set it as the background-image. Then it's not in the HTML source, and can't be found easily (like IMDB and flickr). But even then, it can be picked up by Web Developer https://addons.mozilla.org/en-US/firefox/addon/60.
Admin
Who would write a SQL client in Javascript?!? That developer had to know less than nothing. Anyone around for 5 years knows the joys of Javascript. First, it wasn't mature enough. Then, IE and Netscape fought over setting standards. Now, everyone knows how (and why) to turn Javascript off in the browser.
Also, the SQL strings make it harder to maintain the application. They waste bandwidth when only a few form values are really needed. Worse, every browser-cached Javascript page has to be changed when the SQL rules do, which the server can't control.
Admin
Don't believe every thing that you read. It works in Firefox and IE, but Opera will cheerfully pop up the context menu, even if you change your javascript settings to let javascript see the right click.
Admin
Not a bright idea. For one thing, many people move around to different publicly-accessible wireless networks, so blocking a particular IP would not block the poster for long. Secondly, many ISPs issue connections out of a shared IP pool, so blocking would block others on the same system, while blocking the offender only by chance.
Admin
They probably committed suicide by holding their breath.
Admin
Oh, please then, enlighten me. 'Cause I sure don't know "why".
Really sharp point you got there. It might waste an entire 100 bytes! Heretics!!
Most semi-decent frameworks contain ways of controlling the script tags, and thereby client caches. Just informing you, since you don't seem to know.
Admin
I am seriously hitting my head really hard right now.
I can't believe that I have to compete with these people for jobs.
Worse yet: Management almost never knows what kind of WTF code these people are writing since they don't know what code does anyways, and they are happy if the devs just say "yes!" and do it, even if it's in a completely retarded way.
Admin
Or you could take a screenshot of the page, print it out, put the printout on a wooden table, take a picture with a camera, scan in the picture, and then email it to them!
But yeah, disabling javascript is probably easier. Unfortunately I use the noscript firefox extension, so normally I never know the anti-right click script is even there in the first place.
As for this particular wtf, this is why we need to start insisting on some sort of certification for web developers instead of allowing the 15 year old nephew of the VP of marketing get the job. Its easy enough to learn enough web development to put together what appears to be a functional website, its much harder to make one that actually does work.
Admin
I guess I never noticed this little anti-rightclick "trick" because I always just dragged the images I want to my desktop. Doesn't that work on Windows?
captcha: kungfu (no, seriously)
Admin
Someone's been playing too much counterstrike ;D
Admin
Doesn't work on Firefox 2.0.0.3 with dom.event.contextmenu.enabled=false. (at least some) Distros provide Firefox with this set by default.
UPDATE: oh yeah, if I release the button over the page and NOT over the menu option (which is where I would release it, I opened the context menu for that reason after all), it pops up a message box. For a moment I forgot the fact that the Mozilla developers are still retards; you still can take down the browser with an infinite loop of alert().
Admin
Yeah, you are right. He probably should have written "anyone with half a brain knows how and why to turn off Javascript by default".
100 bytes times how many millions of requests?
No, no framework controls client caches. Because no server side code can control the client (ie, the browser). The best they can do is request the browser do something. Whether they abide by that request or not is up to the browser.Admin
It does work, yes.
Admin
Hm, not even ten posts to get the requisite "First post!", "Captcha = who gives a crap", and of course, "the real WTF is that I'm a pompous know-it-all"
Admin
But seriously, nixen's idea here is that if you need to update "mylib.js", you instead create a new file, "mylibv2.js" and send back all new pages pointing to the new file. Just because you can't "control" browsers doesn't mean you can't trigger the desired behaviour in the ones that people use.
Admin
Since when did Alex start spelling his name "J A K E?"
Sure there was probably more code there than needed to get the point across... But it REALLY gets the point across. How are the eyes now? Did the goggles do anything?
Admin
That is just horribly stinky, but sadly I can see how the barely educated and zero common sense programmers you see all too often could think that it was cunning. What happened to security courses, and best practices courses, and architecture courses, etc, at university?
The sad fact is, this just should not be happening, full stop. SQL Injection aside, forming SQL statements is so clearly and obviously not a client-side behaviour that you'd have to be retarded to go down that path. I can understand server side code that has SQL Injection flaws - a brief demonstration and education about prepared statements usually sorts the people out and they never make the mistake again. However I don't think there's any redeeming for someone who forms SQL in client-side Javascript.
Admin
I think the right-click script war ended when someone discovered
I feel sad for the customers that want it - very sad.Admin
Admin