• Dave (unregistered) in reply to Anonymous Howard

    How about *name =& !32 or something? (haven't tested it)

  • Dave (unregistered) in reply to Dave
    Dave:
    How about *name =& !32 or something? (haven't tested it)
    Except, of course, replace the logical not with the bitwise version *name =& ~32 oops
  • Carra (unregistered)
    Comment held for moderation.
  • Patrick (unregistered) in reply to Migala
    Migala:
    Ben:
    echo ucfirst($_GET['name']);

    The real WTF is how this guy just added an XSS vulnerability.

    That has always been there:

    default:
    	echo $name; // Name not in the database yet...
    

    Perhaps it's just a simplified version of what the code actually does.

  • (cs) in reply to widget
    widget:
    A co-worker had a quote from the legal profession, but it applies to software as well:

    I could have made it shorter, but I didn't have any more time.

    Your co-worker was paraphrasing (to be charitable) Mark Twain--

    "I didn't have time to write a short letter, so I wrote a long one instead."

  • xzzy (unregistered)

    I could forgive missing the existence ucfirst(), it's not like php has any kind of identifiable pattern for naming functions. Would be pretty easy for a newbie to miss stuff like that.

    Doesn't excuse the ginormous switch statement though, in the worst case there are plenty of other functions with much more standard names that could be used in performing the same job.

    But I could certainly see missing ucfirst(). Many times I've been idly perusing their online docs for whatever reason and found some obscure routine that makes me go "darn, I wish I knew about that when I was working on X". Sometimes I'll even go back and rewrite stuff!

  • (cs) in reply to Migala

    Who said there was one to begin with? Maybe the application does what it should be doing and escapes the data at output?

  • Jonathan (unregistered)

    A big ugly case statement with 10s or 100s of individual usernames, and nobody had a BiCaps style name?

  • wtf (unregistered)

    TRWTF is the title... Reverse Dictionary Attack seems more suitable... or Dictionary Defense

  • (cs)

    The real WTF is that he didn't make it a function.

    Addendum (2007-12-19 12:19): EDIT: Also, could you call this a worst-case scenario?

  • (cs) in reply to Tom Melly
    Tom Melly:
    This type of error mystifies me - does it never occur to them, when they're coding this stuff, that there might, y'know, be a better way? That maybe, y'know, people have dealt with this kind of issue before?

    I mean, even if they don't know (or don't suspect) that there might be a built in function, don't they even look around for something else? Some example code? Anything?

    Maybe that's the problem. Maybe the initial author DID look for example code, and took the first solution he found, which happened to resemble this one.

  • Sumudu (unregistered) in reply to FredSaw

    I find it easier to remember that you just have to clear the 2^5 bit (off for uppercase, on for lowercase).

  • bull (unregistered)

    What if they hates those people with known names and try to take revenge by ... up case the first letter :P

  • Jethris (unregistered)

    Have they never seen names like DeShawn, KeMika, etc.?

  • bull (unregistered)

    C'mon people, at least he know how to use switch-case instead of if-else

  • ChiefCrazyTalk (unregistered) in reply to crxs
    crxs:
    ...being paid on Lines Of Code, David had to pay $320.50 when he finished the project.

    I realize that "paid by the line of code" is a standard joke, but has anyone REALLY been paid by the line of code?

  • (cs) in reply to Zylon
    Zylon:
    widget:
    A co-worker had a quote from the legal profession, but it applies to software as well:

    I could have made it shorter, but I didn't have any more time.

    Your co-worker was paraphrasing (to be charitable) Mark Twain--

    "I didn't have time to write a short letter, so I wrote a long one instead."

    Except it was Blaise Pascal, not Mark Twain.

  • Tim (unregistered) in reply to Tom Melly

    does it never occur to them, when they're coding this >>stuff, that there might, y'know, be a better way?

    This isn't good coding? I write all my code this way. :)

  • Marcos (unregistered)

    I wonder if this code was produced by a script that took a list of names and output the entire switch statement? that would mean the programmer did know how to uppercase a letter, but seing this kind of code, I think anything is possible.

  • Franz Kafka (unregistered) in reply to foo
    foo:
    Anigel:
    Well thats all the O'Driscolls and McDonalds buggered then aint it.

    Some times saving many lines of code is really not as clever as it sounds.

    ... As far as your little website goes. If the user types their name as laForge or la Forge or LaForge or FaGeorge you shouldn't care... really... you just shouldn't care.

    If marketing wants to make names "uniform" then you wash the strings how ever the hell they say but do it only on their display/page not in the database... not anywhere else.

    Once they notice Mcdonald they'll have that conversation with you and you can point out that what if the name is La Forge and that's the name not La as the middle name and Forge as the last name but literally La and then Forge... and so on.

    The real WTF is Who the F do you think you are to "correct" how people spell their own names?

    wait'll they find diMarco (that's how it's capitalized). Anyway, it's perfectly reasonable to screw up names with handwritten input data and so forth. Getting more names spelled right does help with things like collections.

  • (cs) in reply to Jethris
    Jethris:
    Have they never seen names like DeShawn, KeMika, etc.?

    Had this been implemented properly, "special cases" still could have been handled. This code treats every name as a special case, which makes it even harder to find and validate the ones that truly are.

  • Franz Kafka (unregistered) in reply to widget
    widget:
    A co-worker had a quote from the legal profession, but it applies to software as well:

    I could have made it shorter, but I didn't have any more time.

    KISS. Live by it.

    That's a marktwain misquote: "I apologize for the length of this letter. I don't have time to write a short one." - more or less

  • dcardani (unregistered) in reply to Tom Melly

    What I wonder is why they force names to all lowercase in the database in the first place? My bank does this with vendors I have set up to pay (only to all uppercase instead), and it's really annoying. It makes it much harder to read through the list of them to find the right one. And they have something like a 10 character limit, which is fine if the vendor is "AT&T" but a pain if there are 2 vendors, like "Acme Electrical Contractors," and "Acme Electricity Company." Both show up as "ACME ELECT." Lovely. Why not make the limit reasonable and use the casing the user entered? That way, names like "Mary Ann," which have 2 upper case letters don't become "Mary ann." What is the point of forcing the names to lowercase? It doesn't save you any space in the database. Why would you ever change the data the user entered?

  • Thomas (unregistered)

    IMO, writing a routine to "fix" the data in the UI is the real mistake. Why not tell the users to fix the data? If this routine was used on entry, then tell the users to enter the data the way they want it displayed. I.e., the cheapest solution that involves the least amount of code is to make the users accountable.

  • (cs) in reply to dcardani
    dcardani:
    What I wonder is why they force names to all lowercase in the database in the first place? My bank does this with vendors I have set up to pay (only to all uppercase instead), and it's really annoying. It makes it much harder to read through the list of them to find the right one. And they have something like a 10 character limit, which is fine if the vendor is "AT&T" but a pain if there are 2 vendors, like "Acme Electrical Contractors," and "Acme Electricity Company." Both show up as "ACME ELECT." Lovely. Why not make the limit reasonable and use the casing the user entered? That way, names like "Mary Ann," which have 2 upper case letters don't become "Mary ann." What is the point of forcing the names to lowercase? It doesn't save you any space in the database. Why would you ever change the data the user entered?

    Many reasons... Lots of these systems were not re-written, they were ported to newer systems keeping the old flaws intact. Some weren't even ported but are still running in their original state. Old mainframe systems were very limited as to storage space so having a ten character limit back then seemed appropriate, remember these system are either still running or simply ported. These same systems sorted by numerical value, not true alphabetic, so you got a-z then A-Z so things would be sorted as such:

    apple cat Banana

    Making sure everything was the same case fixed this problem.

  • (cs) in reply to Tj
    Tj:
    being paid per line thats just scary.
    Not as scary as getting paid by the bug fixing errors in your own code.
  • Thor Larholm (unregistered) in reply to Migala

    The XSS was already there and David had to keep the code functionally equivelant ;-)

  • rootbeer22 (unregistered)

    I hope they don't have any customers named JoAnn, RoseMarie, or LaWanda...

  • BM (unregistered) in reply to ChiefCrazyTalk
    Comment held for moderation.
  • Oleg (unregistered) in reply to Migala

    That's not a vulnerability, it's just some output.

  • Rance Mohanitz (unregistered) in reply to RazZziel
    RazZziel:
    You don't even need a builtin function, just *name -= 'a'-'A';

    Sigh the old times when men were men...

    and sheep were nervous.

  • Dana (unregistered) in reply to Migala

    There's also no way to know from the snippet whether any further SQL escaping is done, anyway.

  • (cs) in reply to Dana
    Dana:
    There's also no way to know from the snippet whether any further SQL escaping is done, anyway.
    Well, it's returned by "echo"... so unless whatever calls this code is wrapped with ob_start, or there's something that sanitizes $_GET beforehand, then it's going straight to the browser. Given the standard of code we've seen so far, I'd consider both of those unlikely.
    Oleg:
    That's not a vulnerability, it's just some output.
    But what happens when you're the administrator of that site, and I trick you into clicking a link that has a name of "<script>window.location = "adminarea.php?giveadminaccessto=phlip";</script>"?

    Addendum (2007-12-19 16:00): Of course, that's not much different than just tricking them into clicking a link to admin.php?etc but if you shove AJAX code in there, you can have it do absolutely anything on the site that the victim could do.

  • olorin (unregistered) in reply to RazZziel
    You don't even need a builtin function, just *name -= 'a'-'A';

    Sigh the old times when men were men...

    yeah, but does that work in non english, non ascii locales?
  • (cs) in reply to Carra
    Carra:
    I be he wrote a smart script to create all those files instead of writing em all!

    Something like:

    open(MYFILE, "c:\myNames.txt"); @lines = <MYFILE>; close(MYFILE); foreach $line (@lines){ print "\t case " . $line; substr($line, 0, 1) =~ tr/[a-z]/[A-Z]/; print "\t\t echo " . $line; print "\t\t\ break;\n"; #Can't forget this! }

    slurp it all in hey? Something more like this might be better on memory usage, plus a few minor syntax error fixes:

    open(MYFILE, "mynames.txt"); while (<MYFILE>){ chomp; next if (! /^[a-z]+$/); print "\tcase '$_':\n\t\techo '"; print ucfirst; print "';\n\t\tbreak;\n"; #Can't forget this! } close(MYFILE);

    Perl to generate PHP FTW!

  • SJS (unregistered)

    I know people who have multiple capital letters in their name.

    I know other people who have decided that they will eschew all capital letters in their name.

    The real WTF is why there's a need to make this change to such a string. Why not believe the user when they provide you with their name?

    You'd think people would know how to capitalize, or not, their own name.

  • mdmadph (unregistered)

    something I've always known -- if I find myself coding the same thing (or similiar things) in code more than twice, I know that there's probably an easier way to do it.

  • BillyBob (unregistered) in reply to foo
    foo:
    It is utter fallacy to think that you GET to tell people how their names are spelled. NOBODY gets to tell people how to spell their own names. not the US government, not your mamma,

    Most people spell their name exactly how their mamma told them to spell it :-)

    It seems the name is stored in the database in all lowercase and then the first letter is capitalised just before output.

  • BillyBob (unregistered) in reply to dcardani
    dcardani:
    What I wonder is why they force names to all lowercase in the database in the first place? My bank does this with vendors I have set up to pay (only to all uppercase instead), and it's really annoying. It makes it much harder to read through the list of them to find the right one. And they have something like a 10 character limit, which is fine if the vendor is "AT&T" but a pain if there are 2 vendors, like "Acme Electrical Contractors," and "Acme Electricity Company." Both show up as "ACME ELECT." Lovely. Why not make the limit reasonable and use the casing the user entered? That way, names like "Mary Ann," which have 2 upper case letters don't become "Mary ann." What is the point of forcing the names to lowercase? It doesn't save you any space in the database. Why would you ever change the data the user entered?

    Your bank probably has software from nearly 50 years ago working with that same database.

    There would have been little library support for searching/sorting. Now saving an entire function call on each comparison is fairly significant.

  • Craig Beere (unregistered) in reply to Dave
    Dave:
    Dave:
    How about *name =& !32 or something? (haven't tested it)
    Except, of course, replace the logical not with the bitwise version *name =& ~32 oops

    That approach is a bad one because it relies on a numerical relationship between upper case letters and lowercase letters that is not always true. For example, it will fail if your name begins with Ā (capital a macron) with code 0x0100 since the lowercase version ā is code 0x0101.

    Cheers Craig

  • Andrew (unregistered) in reply to RazZziel
    RazZziel:
    You don't even need a builtin function, just *name -= 'a'-'A';

    Sigh the old times when men were men...

    In the old days, when IBM used EBCDIC, this would be wrong! The upper/lower-case functions are character encoding aware, and users should apply them. Not everyone writes in English either.

  • she (unregistered) in reply to Migala

    Its php... what do you people expect.

    A horrible language that should have never been able to win the www (and shame on the other languages for not being there to block php's rise to fame...)

  • (cs) in reply to xzzy
    xzzy:
    I could forgive missing the existence ucfirst(), it's not like php has any kind of identifiable pattern for naming functions. Would be pretty easy for a newbie to miss stuff like that.
    Agreed on the PHP function-naming convention (or lack thereof); it's like a bunch of people took the suggestion in a Digital Undergroud song too literally...

    But still, if you know about switch, ya gotta know about strtoupper & substr (if you're going through the function index, you'll see both of those before the word 'switch'). At the very least it would give you an awkward, but functional:

    echo (strtoupper(substr($name,0,1)).substr($name,1));

    (XSS vulnerability acknowledged; wrap the works in htmlentities or htmlspecialchars if you'd like)

  • (cs) in reply to Daniel15
    German B.:
    Ben:

    The real WTF is how this guy just added an XSS vulnerability.

    Can you guys please explain this problem you're talking about? Thanks...

    http://xkcd.com/327/

  • (cs) in reply to Mr Ascii
    Mr Ascii:
    Tj:
    being paid per line thats just scary.
    Not as scary as getting paid by the bug fixing errors in your own code.
    Oh yes, I send a story in about that one. My boss decided that was a good tactic to reduce the number of bugs in the code. QA and programmers got money for each bug foung/removed.

    Well, we found a LOT more bugs, but for some strange reason, the number of bugs in the final version was even higher then usual.

  • Bobman (unregistered) in reply to Migala

    How is that an XSS Vulnerability?

  • Ed (unregistered)

    Look on the bright side. It could have been a nested if.

  • Me (unregistered) in reply to Migala

    ITYM SQL injection vulnerability.

  • danopia (unregistered) in reply to Me
    Me:
    ITYM SQL injection vulnerability.
    Another WTF... How is that SQL injection! XSS, yea, but where's the SQL injection vunerability?
  • SK (unregistered)

    Here is another real story: we were working on an Oracle database and we had to create synonyms for about 600 odd tables. The Oracle-certification-earned hire copied the names in an Excel spreadsheet column, added the syntax "create synonym ..." etc. in the surrounding columns, saved it as a text file, and ran it as a script! And she erred, and missed some, which caused me grief, which is how I found that she had missed some.

    I was not on the db team, but wrote a simple PL/SQL script that did the whole thing in a few lines, and was error free. And, no, I don't have any Oracle "certificate".

    The funny part was, when I showed it to her, hoping that she would learn, or at least take a hint, her response was, "Oh, that is just another way of doing it."

    With people like that at the helm, is it any wonder then that systems break like they do?

Leave a comment on “Reverse Brute Force”

Log In or post as a guest

Replying to comment #:

« Return to Article