- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Swordfish was definitely WTF, great reference.
Admin
scary stuff
Admin
Got to love people that think javascript is an effective security. And people that think the presence of a cookie (or any non-signed/hashed value for cookie) is a secure authentication mechanism.
Now put them together....
Admin
Best security system... ever! :)
Admin
I see this regularly. Very bad.
[image]Admin
Shouldn't the text be as following?
I guess it's hard with all the negative words ;)Admin
"Fidelo" But what is the house password?
CAPTCHA: pinball. Yay!
Admin
Admin
This one's even better:
It does exactly what you think it does. Even worse, this was software that was internet-accessible.
http://seclists.org/bugtraq/2000/Aug/0200.html
Admin
Tja, this is just black-listing people:
"The cookie value must be undefined or "No" in order for someone to [NOT TO] have admin privileges"
Everybody who is not on the blacklist can log on. Great! Given that you can edit a cookie in Notepad or that you could use a browser that is not capable of JavaScript... Aye!
BTW: I would use an include as well. Why not?
CAPTCHA: atari Finally a computer that with no Windows or UNIX-flavour
Admin
WTF? This depends wether or not this app is ran on intranet... if it is ran on intranet then it is highly unlikely that a non IT employee would have the wits to do this-- and if so I'd be F**king happy, at least they won't need help with their printer. Also, grounds for dismisal.
deployed on internet- then yeah, WTF.
Admin
Why use Coldfusion for... well... anything?!
(spent 1.5 years doing CF development... PAINFUL)
Admin
Probably in this case there's no reason not to. If the contents of "../../include_admin_security.cfm" are not needed on every page and don't return any values (like in this case) a cfinclude is a good way to go.
Yes, an application.cfm would be better for this sort of thing, and an application.cfc would be more robust, but I doubt that was a major concern here.
Admin
The real WTF is that someone would willingly use Cold Fusion.
Admin
grounds for dismissal? Even if it is on intranet, with such lax security, any employee who can google what a cookie is can get access to admin pages, which, depending on the company/page, might be very valuable company secrets. Firing someone isn't going to stop the fact that they already could've sold the company secrets...
very bad design
Admin
Also, what's about the fancy "window.open(...,'_self')"? Is this a countermeasure against those ultra-sophisticated hackers that have location.replace() disabled? I wonder what happens if the user has a popup blocker running...
Admin
Yeah, WTF, indeed. Everybody knows the threat comes from inside because here you must be dreaming: "it is highly unlikely that a non IT employee would have the wits to do this"
Maybe they are no IT guys but that makes them sometimes if more dangerous. People who click here and there with no meaning can find quite some backdoors in enterprise systems. And if it's only accessing HR data.
Be warned!
Admin
The <CFSESSION> can only take care of an entire session but not for individual pages. And in CF I have seen sessions die after minutes for no reason even though they were set to expire only after hours.
Admin
What tag are you talking about? There is no <cfsession>.
Admin
<CFSESSION> is not in the article. Just as in every web application you can use application and session variables to store similar kinds of information. These are defined in the previously mentionnened "application.cfm". The first time the application is run the <CFAPPLICATION> tag is checked and then every time a user logs on the <CFSESSION> is checked. So, normally this is more logic than using includes.
Admin
If you don't have brains, doing any sort of development is painful. CF is the easiest and the best language for web development. Unfortunately, because it's so easy, a lot of dumbasses get into it, and write code like this. If you have half a brain, you can write better, more secure apps in CF multitudes faster then in any other language.
Admin
The application I inherited was written entirely in CF with a SQL database backend. After a week of doing tweaks in the code and stabbing myself in the ear repeatedly with a pen, I pushed my boss to let me rewrite it in ASP.
Part of me wishes I'd just left it... then I wouldn't have had to see the DB queries that were 400 lines long, consisting of copy/paste sections with one variable changed per section.
At least it's now a quarter of the size, twice as fast, and doesn't look like a Disey programming language.
-- Seejay
Admin
The real WTF is that someone who can't even spell ColdFusion thinks he's qualified to comment on it.
Admin
Although it might be possible to rewrite a BAD CF application in less code in ASP, I would bet that I can rewrite a GOOD ASP application in less code in CF. Just because you're more comfortable in ASP, and don't get CF, doesn't mean CF is a worse language.
Admin
If someone can show me a language that's dumbass-proof, I'd like to see it. .NET certainly isn't. Java isn't. C++ isn't by a long shot, and as an added bonus you can do a lot more damage with C++.
Admin
I guess the difference with the other languages is that the bar is set higher. With CF, even dumbasses can be moderately successful and write sort of working applications.
Admin
Please tell me you're posting old stories saved up from 10 years ago. Please tell me nobody still does stuff like this anymore. Say it ain't so.
Admin
Never said that CF didn't have its uses or that it couldn't be used to write good applications in less code. But as a programmer, with a background in standard programming languages, CF is oddly formed and difficult to wrap your head around. Combine it with the fact that there's a lot of simplistic stuff in it to make it "friendly" to monkeys, it tends to make my programmer brain cry out in pain.
I have used aspects of CF for my current ASP and ASP.NET applications. My current apps are stored on an internal server, accessible only to people within my department, while the CF servers are accessible by anyone within the company. This set up has given me a lot of flexibility and power for things that I want to do... surveys for clients within the company to do? Set it up on the CF server, send results to the ASP server. Authentication to get into the department only server? Start at the CF server, grab credentials, pass to the internal server to verify and if good, give access. The CF server also has easy access to the mail server, while my internal one gave me headaches. Internal passes information to external, sends email, and responds back that it was successful.
The CF server has been an absolute godsend for some of the things I've needed to do. The language syntax though makes me cringe.
And to add, it's a smart and intelligent programmer that can view the various tools outside of the box and use what's available. CF has its uses and dismissing it outright when your toolbox doesn't always have what you want isn't the smartest thing to do. But some tools aren't always elegant, which is one of the reasons why I dislike CF.
-- Seejay
Admin
Been there. Done that. In my experience the CF world is divided between a small number of people that might have some CS or at least IT background, and a vast sea of people who fell back on programming after failing at every other career they tried back in the early 90's.
So, really, just like any other "web page" language.
Admin
I have a MS in CS, and I have had no trouble getting used to the syntax, while ASP makes me cringe. CF is so easy, that you can actually memorize 90% of the things you'll use, and won't have to use documentation all the time. CF has CFScript, which is very similar to c++ in syntax. It has CFC's, which are sort of classes, and although they're not real classes, they do their job well. And best of all, if you don't like the CF functions, all of the objects are java objects, and you can find the methods and call them directly (such as the string methods on scalar variables). So, if you don't like the way CF does things, you can just use almost pure java.
Admin
Grails -- Check it out http://www.grails.org/
Admin
Let me get this straight.. you're actually using this site to do astro-turf marketing for your favorite framework? This is the kind of comment I expect to see on Youtube, "cute movie... there's lots of hot camgirls at emocamchicks.com".
Admin
I agree that the programmer should use the best tool available to him, which is why I will use perl or java, or any other language that might be better for the job at hand. I do not agree that cf is not elegant, I think its a very elegant language, and I would love to be proven wrong. I mean what's more elegant and simple then:
<cfquery name="users" datasource="mydsn"> select userID, userName from users </cfquery> <cfoutput query="users"> #userName#</cfoutput>
Admin
Actually, it's kind of interesting. It seems that the people that are some of the top developers in CF actually don't have a CS background. I think that speaks pretty well for the language -- the fact that people with no formal CS training can build great applications in it.
Admin
There are? To bad I can't get emocamchicks.com at work, gotta wait till I get home.
Admin
Well, think about all the other programming languages. C, PHP, SQL, VB... not very hard to spell, are they? A misplaced space here or there is rarely called a spelling error, and in most languages, it is inconsequential (I'll admit, putting it in the middle of a variable name would be a little problematic, but then English is not a strongly typed language)
Admin
Dim objConn, objRecordset Set objConn = Server.CreateObject("ADODB.Connection") Set objRecordset = Server.CreateObject("ADODB.Recordset")objConn.Open "Provider=sqloledb;Server=HappyServerName;Database=HappyDB;User Id=HappyUser;Password=HappyPeople" objRecordset.Open "Select userID, userName From users", objConn, 2, 1
While Not objRecordset.EOF Response.Write("<a href='/user.asp?id=" & objRecordset("userID") & ">" & objRecordset("userName") & "
") Wend
objRecordset.Close objConn.Close
Set objRecordset = Nothing Set objConn = Nothing
I mean really, I think you're just splitting hairs... if you were getting paid by the hour, it'd be Miller time!
Admin
This reminds me of the old user id in the query string WTF...
Admin
Hi brainless dumbass,
Sweeping superlatives like that are by definition wrong and just prove your own ignorance.
Admin
Agreed. Any time someone mispells something, I completely discount their opinion!
Admin
The real WTF is that there are so many contentious readers of this site.
Admin
I hope you were being sarcastic. The CF code is half the size, a lot easier to read, and the ASP code is wide open for people to forget to close things, and release object memory leading to bugs and memory leaks.
Admin
So I guess everyone was too busy bashing CF to bother doing a Google search on "You do not have permissions to view this area"?
...
...
...
Ok, it didn't pull up the offending site, just this blog entry and a few mirrors (fast crawler!). But still, wouldn't that have been fun?
And of course, VB6 rules. :)
Admin
Seriously, it is a WTF either way because you know this clueless coder is using this "security" in other applications. It isn't like like they were lazy because it was "just an intranet application" or something. I mean, how hard would it have been to store the "admin" flag in, say, the session on the server? I don't know about Cold Fusion, but in Ruby on Rails the amount of code is exactly the same. cookies[:is_admin] vs. session[:is_admin].
-matthew
Admin
The point is that ColdFusion has not been called Cold Fusion for many, many years. The name has been changed to prevent people from confusing it with Cold Fusion term in physics. So if you've really used a recent version of ColdFusion, you should know how it's spelled, and if you don't, it means that you probably haven't used the language in many years, and shouldn't be allowed to make comments about it.
Admin
I too, have used CF (in the distant past) for a small internal web app backed by Sybase. It wasn't fancy, but it was handy (eg: we already had paid for the licenses and didn't need to go through purchasing), and it did the job.
I think most of us would agree that anyone with decent coding skills and reasonable familiarity with a given tool can do a pretty nice job of building something with that tool.
Likewise, anyone with no brains and even less skills can create something worthy of this site using any tool in any capacity.
Admin
Admin
I was. But to be fair to ASP in VBScript, the ASP code doesn't require a System DSN to be set up (+1), doesn't technically need the Dim statements or the final *.Close or Set statements (it's just good practice). and could be done in 5 lines if you only wanted to return the first record in the db and didn't mind an ugly error if there weren't any records :)
Set objConn = Server.CreateObject("ADODB.Connection") Set objRecordset = Server.CreateObject("ADODB.Recordset") objConn.Open "Provider=sqloledb;Server=HappyServerName;Database=HappyDB;User Id=HappyUser;Password=HappyPeople" objRecordset.Open "Select userID, userName From users", objConn, 2, 1 Response.Write("If the OP is reading these (or to others with an opinion), what would be the most elegant way to include an admin file (and again, not knowing CF, I'm assuming that ../../include_admin_security.cfm is outside of the webroot)?
Admin
Why do people even act like the people who ARE smart enough to fake the cookie would be the people you DON'T have to worry about? That's obviously silly. When I see weak sauce security I go straight at it...just for fun and embarassment of the people involved.
What's the point of security if not to keep technically inclined people out of private areas? If we were only worried about dumbasses, we would just not publish the URL and add a robots.txt telling Google to go away.
Admin
This is a WTF is so many ways. The thing is that ColdFusion does have a perfectly functional built in security model. The real kicker for me though is that even if you're going with an idiotic security method, the code should've been much shorter
<cfif Not IsDefined('cookie.admin') or cookie.admin is not 'yes'> <script language="JavaScript"> alert("You do not have permissions to view this area"); window.open('index.cfm','_self') </script> </cfif>