- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
"TRWTF is that the result set of that query isn't used in a meaningful way. Sure, we cycle over every row returned, but in each cycle we compare the user-supplied password to "star" instead of the appropriate table column."
Man, nothing gets by you.
Admin
Admin
TRWTF is calling images on a web site "polaroids." Who does this?
Admin
Admin
Admin
Hell, why not go the whole hog?
Admin
Who would trust their home with someone who DIDN'T use Comic Sans?
Sidenote: browser.blink_allowed: false FTW!
Admin
Am I reading this wrong? I don't know VB (well it looks like VB), but doesnt:
If Request("Password") = "star" Then
Assign the value "start" to Request("Password"), thus returning true and letting anyone log in?
Admin
No, the "=" operator here tests for equality, it's not an assignment operator. "=" is ambiguous in VB etc? this is why C-like languages use "==" for equlity test and "=" for assignment.
Actually what this code does is quite simple : It loops through the DB records and for each record found, compares the user supplied password with "star".
So you will get looged in if both of the following conditions are true :
Admin
Jesus fucking bald-headed Christ in a sidecar drinking Slippery Nipples. It says twice in the article (once implied by the filename) that this is Classic ASP. If you don't know either of the possible languages the code could have been written in (this one used VBScript. Not VB, not VB.NET) then please STFU and stop assuming every language works like C++ even when it doesn't fucking look remotely similar.
If there are no records in the recordset then no login will succeed. You could argue that this is correct behaviour as there is no user record to "check" against but it is purely coincidental.
If any property of any of the 5 collections that Request can look through is called "password" (case insensitive FTW) and contains the value "star" then the login succeeds. If the value is not "star" or the property doesn't exist then no login succeeds.
Therefore there is one password, irrespective of username (which is ignored anyway).
Admin
I wager the reason the injection worked is buried in the missing context. Does the session being logged do anything? Do you get a redirect to the same page even if your credentials are invalid?
A person who iterates through all the records in a table while comparing two values that have no relation to the db data is the same person who knows sessions are important but does do anything other than log you in.
Then again, maybe the session variable didn't get cleared. He had one good log in and then could punch in literally anything. Yeah. I'm changing my vote to this.
Admin
Several days late already, but please let me have a try:
As always, TRWTF is the comments.
Admin
Admin
It matters because the vulnerability allows anyone to log in as site administrator and do pretty much anything - deface the website, steal confidential client data etc.
Admin
On the other hand, http://www.bubbleinfo.com seems to be pretty decent.
Admin
Realtor web services should all be written in J2EE, right? Because as we all know, Java is for closers.
(...ducks, runs...)