- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Obligatory Bobby Tables reference.
Admin
This won't make Judy S. ( 5 time MostFaithful person award ) happy.
Admin
It was already in the article: Not even showing her The Dreaded Obligatory Cartoon.
Admin
So you could access the admin page by changing your "Logged" session variable to "ON"?
Admin
No. Session variables are stored on the server.
Admin
Admin
I'm confused.
Was there an injection vuln or was there not? First it says he found one, then it wasn't there when he went to look. What was it?
Admin
TRWTF is that the result set of that query isn't used in a meaningful way. Sure, we cycle over every row returned, but in each cycle we compare the user-supplied password to "star" instead of the appropriate table column.
Admin
The code snippet shown was after Emmett fixed the sql injection vulnerability.
Admin
Admin
should be "...Or worse? Who would trust their home with someone who used Comic Sans?"
Admin
Indeed. Even a blank username would work.
There was no injection attack because what was entered in the form was never sent to the SQL server at all. You can't get the heroin in the vein if there's no syringe to use.
Admin
As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
Admin
I couldn't agree more with this comment and the OP; They really are like that, shrewd penny pinchers. I make it a business practice to avoid them at all costs.
Admin
Huge security upgrade:
If Request("Password") = "correcthorsebatterystar" ThenAdmin
Pachelbel's Canon in D.
Admin
Admin
Admin
That's what's confusing. How did Emmett spot the SQL injection vulnerability on the login page, and how did he log in with the username "' OR 1=1;--"?
(Edit: Yeah, what he said.)
Admin
Because he used that as the USERNAME, and in fact ANY username including blank would work as long as the password was 'star'.
Admin
Yeah I'm sure this WTF is plainly obvious to most web developers out there but us mere mortals haven't a clue what's actually happening - an SQL injection, or a hardcoded password?
Admin
Yes, but it's still going to show up six more times in the thread.
Admin
For the people who still don't get this:
The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.
Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.
No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.
Admin
Admin
Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.
Admin
Exactly. So why did the "proof of concept" work?
Admin
The password field must have been already filled in (saved?) from a previous login?
Admin
TRWTF is Notepad, amirite?
Admin
So basically, TRWF is TDWTF.
Admin
If it's a real estate web site why does someone need to log in?
Admin
Admin
Maybe clients can log in to see status of their sale/purchase
Maybe Landlords can log in to see references gathered from prospective tenants.
Maybe the business owner can log in to update the content of their "news" section.
Why the fuck does it matter?
Admin
As stated by someone else, he used " or 1=1--" as the username, but must have used "star" as the password.
Many WTFs going on here, but there is no injection vulnerability because none of the user input is sent to the SQL Server.
Admin
Okay, since no one seems to get it: The login code just loops through the account info stored in the database, and compares the stored passwords to the string "star". Since one of the entries presumably has that password, it'll always log you in. It literally does not matter what the user enters.
Admin
Blah blah blah, Akismet, blah blah blah, no spam, blah blah blah, see you in hell, blah blah blah ...
Admin
Nevermind, I misread the code. C-Derb is correct. "' OR 1=1; --" could not have worked without a password.
Admin
Admin
Admin
It matters because that's the first thing any developer should ask. I don't recall ANY real estate sites where there was a login section, anything other than viewing was done over the phone.
Admin
If we are to assume any kind of aptitude on the part of the submitter, we must assume that the code show is, as was said once above, what the original code was replaced with. One could imagine that the original code might've been something like this:
SQL = "SELECT realtor_id, login, password FROM [Realtors] WHERE login = " & Request("Login") & " AND password = " & Request("Password") Set rs = Conn.Execute(SQL) If Not rs.EOF Then Session("Logged") = "ON" Response.Redirect "realtor_home.asp" End IfI can only imagine that it's possible that obfuscation might've screwed up the actual code and "star" should've been rs("password) ... but, I can't say that for sure. Also, the indentation in the code in the article is all borked.Admin
Literally the first large "real estate" firm I thought of in my country:
http://www.bairstoweves.co.uk/ - check the top left corner.
Admin
As a web developer and database person, it still took me a sec. I think that the "example" in the story above doesn't have much to do with the code (somehow??). What the code boils down to is a hard coded password... of course that assumes you have any users in the database (if no users, then it'll never check the hard coded password).
It is correct however that since the SQL statement is hard coded, it's not vulnerable to SQL injection from user input. What other people suggest (user set to "' OR 1 = 1;--" and password set to "star") is probably what actually happened on the "injection test"
Admin
TRWTF is the unnecessary brackets around [Realtors]; amirite?
Admin
It depends. I know a Realtor who has 14 other Realtors in his office and they can log into their site to get some information. Since she wasn't able to update her own site, however, I'm not sure what she was doing logging in.
Admin
Or that's what I thought until I looked at it again and noticed that the "End If" and "Loop" indents didn't match the start of their blocks. TRWTF is programmers who can't indent properly.
Admin
This story can be made more colorful, by introduction of more element like hacking, property buying and selling and eventual housing market crash in America.
All possible due to Judy.
Admin
In MIDI I hope. I prefer to listen to all my music in MIDI so I know that the notes are exactly the ones the artist intended.
Admin
Funny seeing that on here. Just this morning I was watching the Four Chords Song, which covers the same basic theme.
Admin
In this one thing, the original programmer is blameless. That's all me. Indenting in a WYSIWYG is hard.
Admin
Correct.