- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
Admin
Well... It's still security by obscurity, but at least it's a bit better.
Hey FederalSuppliers guys, here's an advice for you: Go buy an internet security 101 book before somebody meaner and badder than the good guys here punch a hole in your security again and does some real damage.
Admin
So the new password is listing, found this out by using
google to search
http://www.federalsuppliers.com/warning.html
then using the view similar pages link
So, its not my fault that google is a gateway tool
Admin
"Should HAVE protected your info," not "should OF."
Admin
Actually it's not, that's in the clear under Procurement, and then click on the index link.
What's amusing is the real password is test.
test.html redirects to http://www.federalsuppliersguide.net/ where all their data is in the clear.
Admin
Actually, the new login secures the whole web, or at least all addresses that end with .html! Even more, it assigns an own password to every .html page on the web! Brillant!
I wonder how they described this incident to their agents. Maybe something like "A gang of Internet Hackers, supposedly from the organization known as "Anonymous", hacked our servers, therefor we had to change the password." ---- "Oh nose, they did it again! Here's the new login data." ---- "Oh dear, such brillant hackers. Here, the new login data." ---- "Sorry, we had to take the site down because of recent attacks. We are working on a better protection system." ---- "Gladly, one of the hackers has posted a better solution. Let this be his fate. The new password is blabla."And what their agents must have thought: "WhoTF are you? Oh.... whatever." - "WTF, again? Lulz." - "WHATTHE- nevermind." - "....... OMG" - "WhoTF cares?"
Admin
They also left their database open with unsanatized inputs on page: http://www.federalsuppliers.com/test.html ENJOY!
Admin
Here's my take on TRWTF. According to the article, Federal Suppliers Guide states that their guide is used EXCLUSIVELY by the gub'ment. They're hoping you misinterpret that to mean the government uses their guide exclusively - as in that's the only place they go to find these products and services. That would be insane. However, by "securing" these ads and only providing access to government agencies they can honestly say that they ARE USED (passive voice here) exclusively by the government.
Admin
FSG uses their own service to hire web-developers, trust me I work for the government, I know how shitty the contractors are roflmao!
Admin
Admin
Dang, now you need the password to get in
// **** You WILL NOT get access without a valid password **** var suffix = ".html"
// **** javascript:IPcatch:subject?Source_code_violator **** var pass_msg = "Password: ";
function go_there() { location.href = document.pass_form.pass.value + suffix; }
document.write('<form name="pass_form" onSubmit="go_there();return false">'
Admin
Dang, no robots.txt either, google doesnt have the files either :-(
Admin
On the off-chance that this is a legitimate employee from FSG, I just want to say: it doesn't matter what YOU tell us. What matters is what your CLIENTS tell us. Regardless of how the client information was obtained, the fact is that the clients have been unsatisfied with your service. Instead of complaining about how "evil hackers" are hurting your service, how about improving your service so your current clients will be proud to recommend you to others?
Admin
Who needs a password
http://www.federalsuppliersguide.net
Search to your hearts content (about 3 seconds)
Admin
The password is "listing".
Admin
Currently seen on http://www.federalsuppliers.com/warning.html
<!-- // **** You WILL NOT get access without a valid password **** var suffix = ".html" // **** javascript:IPcatch:subject?Source_code_violator **** var pass_msg = "Password: "; function go_there() { location.href = document.pass_form.pass.value + suffix; } document.write('<form name="pass_form" onSubmit="go_there();return false">' + pass_msg + '<input type="password" name="pass" size="20" value="">' + ' <input type="button" value="Verify" onClick="go_there()"></form>'); // -->Which is a very fandangled way of doing a user-supplied redirect.
Sure enough, entering "test" forwards you to http://www.federalsuppliers.com/test.html where all ads can be searched.
Captcha: haero
Admin
Did you email them?!
Admin
No it's not, it's 'test'
Hmm, I just tried searching, and got this error
Your search did not match any ads.
Could not find images: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'exists (select 1 from dbimg_ImageAttributeValue iav where iav.aI was going to say 'at least they sanitise their SQL inputs', but I'm not so sure they do now - with an SQL statement like that (even allowing for truncation), I wonder if anyone there has got a clue what they're doing.
Why would anyone do 'select 1 from
where <anything>'?? Wouldn't just 'select 1' do? Does he really mean 'select * from ... LIMIT 1'?(This reminds me of the Tim Tang Test...)
Admin
Admin
I just love the way the "fixed" it. It redicts to page [YourPassword].html .
Admin
Grammar is your friend, mmmkay. Why the government should trust you is beyond me.
Admin
Grammar is your friend, mmmkay. Why the government should trust you is beyond me.
Admin
// **** You WILL NOT get access without a valid password **** var suffix = ".html"
// **** javascript:IPcatch:subject?Source_code_violator **** var pass_msg = "Password: ";
function go_there() { location.href = document.pass_form.pass.value + suffix; }
document.write('<form name="pass_form" onSubmit="go_there();return false">'
priceless.
Admin
listing is the password, takes you to the original page.
the test.html page is just a test page the rookie webmaster has left up!
Theres probably index2.html, etc still about aswell.
This site makes me cry :'(
Admin
Idle threat. You may have our information, but seeing your JS skillz, i doubt you know where to look.
If you find anyone who does, ask him to fix your security for you while he's at it.
Admin
Sounds a lot like some of the "charity publishing" scams operating out of Merseyside, England for the last few years. Small businesses get cold-called and invited to make a small donation to a charity in return for advertising space on wallplanners, diaries or booklets to be distributed in the community. The charities never see more than a few pennies, the publications don't exist, and the crooks run off with your money.
Only difference is, this scam is online, and hopefully the US authorities take it more seriously than the UK ones.
Admin
Don't worry... you can still get in using a google search.
That way you don't have to "hack" the site by using the password "listing" that someone was kind enough to find for us.
Admin
So will they sue Google for breaching their "security"? ;-D
Admin
It might help if you actually knew how to program... these people are actually doing you a favor.
Admin
Reading source code isint hacking thats like putting the combo to a safe on the safe then sitting it in the middle of a park- then yelling THIEF! when someone opens it.
"though you don't care you are hurting the feelings of many good employees and customers by your immature actions."
You need to find new employees if thats the best password mechanism they can accomplish to produce.
Admin
http://www.federalsuppliersguide.net/?_name=&_description=&_q1=&_q2=&_q3=&_orderBy=name
Admin
Checking the Script node under FireFox DOM Inspector for this stupid site. I thought you guys might get a kick out of this. It appears that they left some useful information on their 404 page. Of course... you have to HACK their site to read it... but oh well.
<HTML> 2<HEAD> 3<TITLE>404 Not Found</TITLE> 4</HEAD> 5<BODY> 6<H1>Not Found</H1> 7The requested document was not found on this server. 8<P> 9<HR> 10<ADDRESS> 11Web Server at federalsuppliers.com 12</ADDRESS> 13</BODY> 14</HTML> 15 16<!-- 17 - Unfortunately, Microsoft has added a clever new 18 - "feature" to Internet Explorer. If the text of 19 - an error's message is "too small", specifically 20 - less than 512 bytes, Internet Explorer returns 21 - its own error message. You can turn that off, 22 - but it's pretty tricky to find switch called 23 - "smart error messages". That means, of course, 24 - that short error messages are censored by default. 25 - IIS always returns error messages that are long 26 - enough to make Internet Explorer happy. The 27 - workaround is pretty simple: pad the error 28 - message with a big comment like this to push it 29 - over the five hundred and twelve bytes minimum. 30 - Of course, that's exactly what you're reading 31 - right now. 32 -->
Admin
I think the WTF now is that most of this is HTML. meaning somebody typed that entire list in a single file, and not SQL or something useful
Admin
"listing" is for the index... but "gallery" gets even better.
Admin
I was just randomly playing with their site and figured out a password to access the list. If you go to http://www.federalsuppliers.com/warning.html and use "test" as the password, it will give you full access. Let's see how long this will work.
Kevin Harris http://www.thekevdog.com [email protected]
Admin
Admin
Try test and you're in:)
Admin
I wonder if this company is secretly managed by the city of <a href=http://www.centos.org/modules/news/article.php?storyid=127>Tuttle, Oklahoma?
Admin
Login page now says
http://www.federalsuppliers.com/gallery.html still works just fine, though.Somewhere in Florida, a 14-year old CEO's nephew is having a bad couple of days...
Admin
At least they're actively working on it.
Anyone else noticing a larger than usual amount of spam being sent to your domain over the last few days?
Admin
Right.
http://answers.yahoo.com/question/index?qid=20080221122622AAn21Qx
Even the nimrods at Yahoo Answers know your company is a scam.
Admin
That's a lot of traffic all the sudden!
http://www.alexa.com/data/details/traffic_details/officers.federalsuppliers.com
Admin
http://www.federalsuppliers.com/warning.html
Now showing:
This section of our website is currently undergoing maintenance. Please check back later or contact your FSG representative for assistance. .
Admin
Ha ha - 4 more yank kids starving to death. Just a few million more to go.
Admin
It would be doubtful that this would be covered. Internet security authors assume that you're clever enough to turn the computer on before writing "secure" websites. FederalSuppliers obviously gets their mommies to turn the PC on for them.
Admin
Admin
Well, at least it's visitor friendly, even if it hurts in the wallet.
Admin
Here's something interesting: I ran across this post in a computers forum, where a user asked about this exact code (the forum is in Hebrew, but you can see the code right there).
This took me by surprise, so I performed a small Google search and found this script as an example in a few javascript teaching websites: http://www.javascriptkit.com/script/cut76.shtml http://www.2createawebsite.com/enhance/password-protect.html http://www.sitepoint.com/forums/showthread.php?p=677417
Admin
Great post - I wonder if anyone has similar stories about the Marcus Evans group, whose sales team appears to have taken the same training courses as these guys and has the same 'value add'? Or maybe it's the same company - sounds too similar.