• God (unregistered)

    Lol pudding first post

  • toxik (unregistered) in reply to God

    fist!

    The real WTF here is that they use VBScript

    The real WTF here is the forum software

    This WTF isn't as funny as they used to be

    Sincerely, Gene Wirchenko

  • nikolas (unregistered)
    Alex Papadimoulis:
    Else
      session("grantaccess") = "SALES"
      session("showDebug") = "none"
    End If


    my favourite part =)
  • (cs)

    Boy, it's almost as if they've never heard of .htaccess files, or the equiv. for IIS (which I believe is point/click "who do I want to see this?")

  • jkaiser (unregistered) in reply to nikolas
    Anonymous:
    Alex Papadimoulis:
    Else
      session("grantaccess") = "SALES"
      session("showDebug") = "none"
    End If


    my favourite part =)


    at least it wasnt like this

    response.redirect("special.asp?grantaccess=sales&showDebug=none")
  • (cs)

    Another example of job security through incompetence. If they fire the programmer, they won't be able to hire or fire anybody else. Well, until they hire another programmer.[8-|]

  • (cs)

    It's security through obscur-- er, no. It's security through phy-- no, not that either.

    It's security through....Well, I dunno, really.

  • Whicker (unregistered) in reply to Volmarias

    This wtf reminds me of the hardcoded TI-83 BASIC program shells so prevalent in highschool. The ones that could be bypassed by pressing the 'ON' button...

  • The Internet (unregistered)

    Now is the HR person responsible for adding new employees to the code as well as setting up direct deposit, the health plan and the 401k?

  • Pyromancer (unregistered)

    they sure are optimistic-they assume these guys will not quit or switch jobs [:D]

  • (cs)

    No question. This is a "WTF Award Winner of the Day".

  • (cs) in reply to nikolas
    Anonymous:
    Alex Papadimoulis:
    Else
      session("grantaccess") = "SALES"
      session("showDebug") = "none"
    End If


    my favourite part =)

    Heh - perhaps they give so little access to their salespeople that it doesn't matter if they give it out to random people. Or perhaps there were too many users in the sales department, and the author couldn't be bothered adding them all.

  • John Hensley (unregistered) in reply to Whicker
    Anonymous:
    This wtf reminds me of the hardcoded TI-83 BASIC program shells so prevalent in highschool. The ones that could be bypassed by pressing the 'ON' button...

    Oh, I'm sure there are many people reading this forum who were once very impressed with themselves after adding a password to an 8-bit BASIC program using plaintext string comparison.

  • (cs) in reply to Volmarias

    wow... way too many if...elseif's... the obvious solution is to create a new ASP page for each user and just do the following:

     

    Response.Redirect UCase(usrID) + ".asp"

  • (cs)
    Alex Papadimoulis:
    ElseIf UCase(Trim(rsGetUserID("JOB_TITLE"))) = "DEVELOPER" Or UCase(usrID) = "LINDAA" Or _ UCase(usrID) = "CAROLK" Or UCase(usrID) = "SUMMERE" Or UCase(usrID) = "SHAUNR" Or _ UCase(usrID) = "JESSIES" Or UCase(usrID) = "SHADAR" Or UCase(usrID) = "MILOS" Or _ UCase(Trim(rsGetUserID("JOB_TITLE"))) = "DATABASE MANAGER" Or _ UCase(Trim(rsGetUserID("JOB TITLE"))) = "DATABASE ADMINISTRATOR" Or _ UCase(Trim(rsGetUserID("JOB_TITLE"))) = "CONTROLLER" Or _ UCase(Trim(rsGetUserID("JOB_TITLE"))) = "ACCOUNTANT" Or _ UCase(Trim(rsGetUserID("JOB_TITLE"))) = "INTERNAL AUDIT MANAGER" Then 'session("ignoretabs") = "yes" Response.Redirect "Special.asp"

    I wonder how rsGetUserID() is implemented - another long series of If .. ElseIf ... statements?

    On second thoughts, maybe I don't want to know...

  • Aaron (unregistered) in reply to makomk

    makomk:
    Alex Papadimoulis:
    ElseIf UCase(Trim(rsGetUserID("JOB_TITLE"))) = "DEVELOPER" Or UCase(usrID) = "LINDAA" Or _ UCase(usrID) = "CAROLK" Or UCase(usrID) = "SUMMERE" Or UCase(usrID) = "SHAUNR" Or _ UCase(usrID) = "JESSIES" Or UCase(usrID) = "SHADAR" Or UCase(usrID) = "MILOS" Or _ UCase(Trim(rsGetUserID("JOB_TITLE"))) = "DATABASE MANAGER" Or _ UCase(Trim(rsGetUserID("JOB TITLE"))) = "DATABASE ADMINISTRATOR" Or _ UCase(Trim(rsGetUserID("JOB_TITLE"))) = "CONTROLLER" Or _ UCase(Trim(rsGetUserID("JOB_TITLE"))) = "ACCOUNTANT" Or _ UCase(Trim(rsGetUserID("JOB_TITLE"))) = "INTERNAL AUDIT MANAGER" Then 'session("ignoretabs") = "yes" Response.Redirect "Special.asp"
    I wonder how rsGetUserID() is implemented - another long series of If .. ElseIf ... statements?

    On second thoughts, maybe I don't want to know...

    In VBScript, using ADO, that is most likely just a recordset.  So rsGetUserID() isn't actually a method call, its more like retrieving a value from a collection. Thats one of the major problems with VB.  You can't tell between arrays (or indexers) and functions (or subs, bleh - cant believe they even distinguish between the two).  What a crappy language.

  • Aaron (unregistered)

    I find myself being very annoyed by the number of calls to UCase(Trim(rsGetUserID(""))).  Especially considering that VBScript doesn't use short circuit evaluation, that means that this is being called over and over and over and over - no matter what.  If the first item is a match, it still calls it for every single IF evaluation.  Now maybe, just maybe, VBScript is doing some optimization in the interpreter, but I doubt it. Why not make one variable, call the methods once, and then use that for the evaluations?

    Am i crazy for thinking this?

  • (cs)

    I've seen worse, like the Access system that named all of its tables/views/queries after the users that needed them followed by a number.

  • (cs) in reply to toxik

    Anonymous:
    The real WTF here is that they use VBScript

    Yes...  sort of.  It's ASP - VBScript-like syntax is all it supported.

     

  • KevinS (unregistered)
    Alex Papadimoulis:
    
    

    'RONALDT FIX - Needed for Ronald to view KevinS's jobs ElseIf UCase(usrID) = "RONALDT" then Response.Redirect "ronaldt.asp" 'END RONALDT FIX

    'JEREMYP FIX - Needed for Jeremy to view BobC's jobs 'ElseIf UCase(usrID) = "JEREMYP" then ' Response.Redirect "jeremyp.asp" 'END JEREMYP FIX



    I'm very curious how redirecting to ronaldt.asp will allow Ronald to see KevinS's jobs.  Maybe all ronaldt.asp does is display KevinS's jobs.  Now that would be a WTF.

  • mcguire (unregistered) in reply to Pyromancer
    Anonymous:
    they sure are optimistic-they assume these guys will not quit or switch jobs [:D]


    No, no, it's much better!  You just require the newbie in the job to change their name to match the id!
  • (cs)

    OK... wild stab in the dark... I'm guessing some mate of a mate of the boss was a cheap student coder who naively said 'sure I can do that'.

    Bunch of ="JESSIES"

  • Maintenance Coder (unregistered) in reply to KevinS
    Anonymous:
    Alex Papadimoulis:
    
    

    'RONALDT FIX - Needed for Ronald to view KevinS's jobs ElseIf UCase(usrID) = "RONALDT" then Response.Redirect "ronaldt.asp" 'END RONALDT FIX

    'JEREMYP FIX - Needed for Jeremy to view BobC's jobs 'ElseIf UCase(usrID) = "JEREMYP" then ' Response.Redirect "jeremyp.asp" 'END JEREMYP FIX



    I'm very curious how redirecting to ronaldt.asp will allow Ronald to see KevinS's jobs.  Maybe all ronaldt.asp does is display KevinS's jobs.  Now that would be a WTF.

     

    Yes... yes it does.

  • (cs) in reply to GalacticCowboy
    GalacticCowboy:

    Anonymous:
    The real WTF here is that they use VBScript

    Yes...  sort of.  It's ASP - VBScript-like syntax is all it supported.

    Sorry, not true. ASP is an Active Script Host (see http://msdn.microsoft.com/scripting for more information); by default that means either VBScript or JScript are available to use, but you can easily add support for other languages like, for instance, Perl (see ActivePerl from http://www.activestate.com).

  • (cs) in reply to Maintenance Coder

    Am I the only one who feels physical pain when reading about such spectacular stupidity?

  • diaphanein (unregistered) in reply to John Hensley

    Anonymous:
    Anonymous:
    This wtf reminds me of the hardcoded TI-83 BASIC program shells so prevalent in highschool. The ones that could be bypassed by pressing the 'ON' button...

    Oh, I'm sure there are many people reading this forum who were once very impressed with themselves after adding a password to an 8-bit BASIC program using plaintext string comparison.

    Those of us that were "hardcore" wrote the routine in ASM.

    I did once reduce myself to writing a TI-83 menu emulator to fool the teachers into thinking they were really clearing my RAM.  My first ASM app.  Boy could I pull some WTFs out of that code... What is this "stack" you speak of?

  • Paul Bean (unregistered) in reply to merreborn

    I developed this system. It's pretty damn good in my opinion.

    Paul Bean

    (formerly Paula Bean, I had a sex change operation)

  • (cs) in reply to Paul Bean
    Anonymous:
    I developed this system. It's pretty damn good in my opinion.

    Paul Bean

    (formerly Paula Bean, I had a sex change operation)

    I don't believe that you could have done that.  I've seen some of your code, Paul(a), and this goes way beyond your ability.
  • An apprentice (unregistered)

    The right thing to do would be to wrap it up in a proper database. Probably rewriting this function in PL/SQL.

  • Angry ASP Guy (unregistered) in reply to An apprentice
    Anonymous:
    The right thing to do would be to wrap it up in a proper database. Probably rewriting this function in PL/SQL.

    What and then use ODBC through ASP to call it?  yeah, that sounds awesome. Or you could stick it in a COM dll and really cause yourself some pain... ;)

    lol  the CAPTCHA word is "enterprise"
  • Jack Burton, me (unregistered)

    Looks pretty typical for a small company with no money.  It probably also did exactly what they wanted it to do.


  • Not Registered (unregistered)

    Am I the only one here who thinks this is not that bad? What is really the big difference between hardcoded usernames and a configuration file, especially for some internal application? Of course it could be done better, a lot better, but it could also be far worse.

  • (cs) in reply to Not Registered
    Anonymous:

    Am I the only one here who thinks this is not that bad? What is really the big difference between hardcoded usernames and a configuration file, especially for some internal application? Of course it could be done better, a lot better, but it could also be far worse.



    I don't even want to imagine your "far worse" options ... *shudder* ...

    l.
  • Guy Inconito (unregistered) in reply to lofwyr

    Far worse is easy; Remember those ?admin=true WTFers? :)

  • (cs) in reply to merreborn

    merreborn:
    Am I the only one who feels physical pain when reading about such spectacular stupidity?

    Not at all merreborn......not at all.....

  • (cs) in reply to Angry ASP Guy
    Anonymous:
    lol  the CAPTCHA word is "enterprise"

    ssshhhhh! the forum bots will hear!
  • Eq (unregistered) in reply to nickf

    I realise it's not the point here, but what sets my teeth on edge is all this unnecessarily repeated UCase, UCase, UCase rather than upper-casing the appropriate strings once and comparing against those versions throughout the method.

  • (cs) in reply to R.Flowers
    R.Flowers:
    Another example of job security through incompetence. If they fire the programmer, they won't be able to hire or fire anybody else. Well, until they hire another programmer.[8-|]

    You are almost right - they can fire the programmer, but they cannot stop his paychecks from arriving until they hire another programmer.

  • Steve (unregistered)

    This is actually concise code that clearly achieves its intent.  I suspect any alternative solution would introduce new costs, and I'm not sure what the benefits would be.  The WTF in the system is probably that ronaldt.asp and special.asp are needless reimplementations of the default ASP, but since that's not what is actually posted, it's hard to tell.

    I'd like to see an alternative solution to this.

     

  • (cs) in reply to Not Registered
    Anonymous:

    Am I the only one here who thinks this is not that bad? What is really the big difference between hardcoded usernames and a configuration file, especially for some internal application? Of course it could be done better, a lot better, but it could also be far worse.

     

    Yes you are the only one.

    It seems that a lot of people think "Its only an html file. You have to store the information someplace, one file is as good as another. Why not store it in the html file, instead of a config file."

    Lets suppose it is an interal app for a small business. And lets suppose for the sake of argument security is pointless, this thing is only implemented for convienience... SO what happens when someone quits or is fired. Who gets to change it?

    Do you as the dev want to be bothered with the detail of updating the code in the html every time a person quits or is hired? Do you want some random secratary to be mucking around in your code? Is it going to really kill you to stick this into some sort of database (whether it is a real database or just a simple config file doesn't really matter)

  • The Anonymous Coward (unregistered) in reply to Steve
    Anonymous:

    This is actually concise code that clearly achieves its intent.  I suspect any alternative solution would introduce new costs, and I'm not sure what the benefits would be.  The WTF in the system is probably that ronaldt.asp and special.asp are needless reimplementations of the default ASP, but since that's not what is actually posted, it's hard to tell.

    Concise?  Hardly.

    Look, the optimist in me hopes you're joking, but my inner pessimist insist on responding anyway.  If you don't see what's wrong with this, get as far from the software business as you possibly can.  You are a danger to yourself and others.

    I am beyond tired of working with folks who "can't see the benefit" of good design and maintainable code.  When it's time to do the Hard Work of making code maintainable, they just can't see how the easy way would ever be a problem; yet then when it's time to maintain the code, they're the first ones moaning about how hard it would be to change this or fix that; but of course, the problem isn't the code, so it must be these unreasonable new requirements!

    WTF!

     

  • (cs) in reply to chrismcb

    I want to know why they are sometimes checking usrId and other times checking session("UID").

    And what's JEREMYP done to get his access removed?

    In any case the UCase(Trim(rsGetUserID("JOB_TITLE"))) and UCase(usrId) called a gazillion times each are a WTF even if nothing else is.

    In my experience these types of WTFs are usually caused by managers who would rather do 37 "quick" fixes than commit to doing a bit more work upfront and fixing it once and for all.


  • Eq (unregistered) in reply to woodle

    woodle:

    And what's JEREMYP done to get his access removed?

    That's the guy that submitted the code here. They found out.

  • Steve (unregistered) in reply to The Anonymous Coward

    I think you're missing his point. There are some things that are just small enough, and one-offs and such, where all the ideas about maintainability and extensibility are really inappropriate. Now, before this ridiculous statement sets your teeth on edge, let me offer some support:
    I've been coding for about 10 yrs professionally, I'm at least good enough to appreciate elegant code and good architecture, patterns, agile methods, etc.etc, and I still think that sometimes we all swallow the "extensible framework" kool-aid a bit too much. I've been on lots of large projects that are orders of magnitude more complicated than they need to be (not bad, mind you, well written, but following all the latest rules about how to make your apps extensible), mostly because they were designed the way they were "supposed to be". Some things really are a one-off, and building an n-tier system for something that 2 people are going to use internally is probably not a good idea most of the time.
    Now, the thing about this WTF is that it reminds me of a job I had a long, long, long time ago. I wasn't really coding back then, but I worked in tech support for a small (about 100 people ) firm that had lots of small databases that had been thrown together for people in Filemaker 3, whose (incredibly minimal) maintenance and extension I inherited. Anyway, there were lots of things thrown up for the use of 2 or 3 people, and they served the business needs. Passwords were (if I remember correctly) encoded directly into the db,  which also worked fine at the time, although obviosly not terribly scalable. Something like the WTF actually has a few benefits in this environment:
    -all the  passwords are in one place.
    -yes, you have to "recode" if someone leaves, but it's really not much more work than changing their password, which you have to do anyway.
    -it works
    inotherwords, it's fine as a one-off hack. Obviously this equation changes if it actually needs to be really secure, or if it has to exist on a bigger scale. But there's a place for this sort of thing.

    Of course, it's also atrociously written, but definately not as WTF as some of the giants of the past.

  • Peter (unregistered) in reply to Eq

    Wouldn't something like this be easier? (yes, still on the quick-n-dirty approach)

    //pseudo code
    managers = Array("user1", "user2", "user?");
    users = Array("user5", "user6", "user?");
    if(member(managers)){
      //give cool security access
    } else if(member(users)){
      //give minimal access
    } else {
      //denied...
    }

    It is far from perfect... but surely significantly cleaner without building the taj mahal.

  • (cs) in reply to Steve

    Anonymous:
    I think you're missing his point. There are some things that are just small enough, and one-offs and such, where all the ideas about maintainability and extensibility are really inappropriate. Now, before this ridiculous statement sets your teeth on edge, let me offer some support....

    OK....  hard coding plain text paswords in to anything is like keeping a spare key to your house in one of those little fake rocks 2 metres from the front door. If somebody wants in enough - they have instant access. Now, I understand that not everything is worth the effort of hashing passwords (ie the odd pdf), HOWEVER........surely a 'quick and dirty' authentication system is something most coders should have lying about in a code lib somewhere, ready for when somebody says "Hey! Let's do some sorta q&d auth'ing." A simple (working) auth UI/backend isnt something I would consider a 'one-off'.

     So therefore, wouldnt it be worth the effort of dreaming up something a little bit more inventive than hard coded plain text passes ready for those rainy days? Surely this guys time would have been better spent learning some simple sec tech before embarking on a hack and potentially would have spent a similar amount of time creating something that actually worked for the most part, instead of coming up with utter rubbish.


    A stitch in time saves nine hundred lines

  • The Uneducated Programmer (unregistered) in reply to Steve
    Anonymous:
    I think you're missing his point. There are some things that are just small enough, and one-offs and such, where all the ideas about maintainability and extensibility are really inappropriate. Now, before this ridiculous statement sets your teeth on edge, let me offer some support:
    I've been coding for about 10 yrs professionally, I'm at least good enough to appreciate elegant code and good architecture, patterns, agile methods, etc.etc, and I still think that sometimes we all swallow the "extensible framework" kool-aid a bit too much. I've been on lots of large projects that are orders of magnitude more complicated than they need to be (not bad, mind you, well written, but following all the latest rules about how to make your apps extensible), mostly because they were designed the way they were "supposed to be". Some things really are a one-off, and building an n-tier system for something that 2 people are going to use internally is probably not a good idea most of the time.
    Now, the thing about this WTF is that it reminds me of a job I had a long, long, long time ago. I wasn't really coding back then, but I worked in tech support for a small (about 100 people ) firm that had lots of small databases that had been thrown together for people in Filemaker 3, whose (incredibly minimal) maintenance and extension I inherited. Anyway, there were lots of things thrown up for the use of 2 or 3 people, and they served the business needs. Passwords were (if I remember correctly) encoded directly into the db,  which also worked fine at the time, although obviosly not terribly scalable. Something like the WTF actually has a few benefits in this environment:
    -all the  passwords are in one place.
    -yes, you have to "recode" if someone leaves, but it's really not much more work than changing their password, which you have to do anyway.
    -it works
    inotherwords, it's fine as a one-off hack. Obviously this equation changes if it actually needs to be really secure, or if it has to exist on a bigger scale. But there's a place for this sort of thing.

    Of course, it's also atrociously written, but definately not as WTF as some of the giants of the past.


    Steve, first you say it's "concise" and "clearly acheives its intent", then you say it's atrocious.

    I'm guessing you are a self-taught coder who learn the skills after many years in the IT industry. I'm also guessing you're surrounded by a bunch of bad-to-mediocre programmers who toss the buzzwords around but are unable to accomplish anything.

    We are not talking about extensible frameworks or n-tier architectures here. It's a matter of fundamental programming principles.

    Firstly, the code exhibits all signs of being tossed together as the need arises rather than showing any thought whatsoever. It is not a one-of, since the commented-out code shows that it has been modified at least once, so maintainability is definitely an issue. Furthermore, it's not just unoptimized, it's practically anti-optimized. Some have already pointed out the ucase() optimization. Others have also shown how you can do away with multiple if statements by using a simple look up.

    Secondly is the abstraction of data and function. You seem to be saying that a database is too heavyweight for this, and I do agree with you on that. I'm also against reinventing the wheel. But having a separate entity isn't the only way to abstract parts of a system. A simple array to provide a lookup table isn't too heavy weight. It's also easier to maintain (even the secretary can do it) and far less error prone.

    This site is littered with examples which "just work" but that's not the point. Software engineering is about obtaining a high quality product that can last. Just because some kludge works now doesn't mean it can work in the future.

  • (cs) in reply to diaphanein
    Anonymous:

    Anonymous:
    Anonymous:
    This wtf reminds me of the hardcoded TI-83 BASIC program shells so prevalent in highschool. The ones that could be bypassed by pressing the 'ON' button...

    Oh, I'm sure there are many people reading this forum who were once very impressed with themselves after adding a password to an 8-bit BASIC program using plaintext string comparison.

    Those of us that were "hardcore" wrote the routine in ASM.

    I did once reduce myself to writing a TI-83 menu emulator to fool the teachers into thinking they were really clearing my RAM.  My first ASM app.  Boy could I pull some WTFs out of that code... What is this "stack" you speak of?

     

    our system at school stored the passwords for everything in a text file (called passwords.cfg of something), so all i had to do was fire up the text editing app and open the file, which gave me hours of fun, controlling peoples computers etc, until of course i noticed the teacher standing behind me while i was looking at his inbox [:|]

    Wonder what system that was, was some dossie sort of system.

  • (cs) in reply to GalacticCowboy
    GalacticCowboy:

    Anonymous:
    The real WTF here is that they use VBScript

    Yes...  sort of.  It's ASP - VBScript-like syntax is all it supported.

     


    I'm not sure if someone else has already pointed out that you don't know what you're talking about. But just in case they haven't: you don't know what you're talking about. 

    Classic "ASP" is just a thin framework/library. It's 5 objects can be implemented in a number of languages, including VBScript--the most common--but also JScript, TCL, etc.

    You could rewrite that exact code in JScript almost line for line. ASP is not a language. It does not support any syntax.
  • Ben (unregistered) in reply to wunderkind

    The real WTF as far as I can see, is if "ronaldt" sees his personal URL, gets curious, and tries out "jeremyp.asp". Though commented out, I bet you twice the salary-alexp-deserves that jeremyp.asp still resides on the server.

Leave a comment on “Personal Personnel Authentication”

Log In or post as a guest

Replying to comment #:

« Return to Article