- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
The new "code" is from right here...
http://lordnick.proboards6.com/index.cgi?board=introduce&action=display&thread=1018399396&page=4#1020689979
Admin
That popup doesn't necessarily mean JS - they could have used AJAX to verify the password at the server's side.
But they didn't.
Admin
OK, so I entered 'test' as a password, was able to do a search, and selected only Florida in the State field of the search criteria. Here is what came out:
"Your search did not match any ads.
Could not find images: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'exists(select 1 from dbimg_ImageAttributeValue iav where iav.a"
So either the server side is programmed about as well as the web page, or else no companies in Florida were stupid enough to fall for the scam?
SQL injection, anyone?
Admin
Seriously, just go to this url to "hack" the site
http://www.federalsuppliers.com/test.html
Admin
Forgot the plethora of already mentioned WTFs, I haven't seen that much static HTML since 1995.
Admin
is this the "new" page? of suppliers?
http://www.federalsuppliers.com/gallery.html
Admin
You, sir, are a certain kind of special. First off, it's not "hacking" if you can figure it out by viewing page source. Secondly, I highly doubt an organization without the technical brainpower to secure a page beyond javascript-based password prompting would have the wherewithal to "get our info" so quickly - sorry, charlie, but subpoenas don't go through THAT quickly.
And for the love of Christ, could you PLEASE learn the difference between "of" and "have"? It's should have, not should of. How people with such a poor grasp of the English language manage to land and keep jobs is beyond me. Oh, wait, I almost forgot - sales doesn't require intelligence or a real education.
Admin
Admin
A bit of Googling suggests that this is stock boilerplate text from the Plesk control panel, which FSG has previously been noted as using.
Admin
THAT IS AMAZINK!
I just entered my "special" password "http://www.ebay.com/index" and it appears that the list has been replaced by Ebay, who knew you could purchase federal supplies there.
Admin
Just so you don't have to play catchup with their "clever" password schemes, here are some core urls;
List of ads sorted by Name: http://www.federalsuppliersguide.net/?_orderBy=name
Individual ad (enumerate imageId if you wish): http://www.federalsuppliersguide.net/?_orderBy=name&imageId=4221
Individual ad (by name): http://www.federalsuppliersguide.net/?_name=Spwipes
And finally the not surprising proof that you could just use SQL injection to steal the entire database: http://www.federalsuppliersguide.net/?_name=%25&_description=%25&_q1=1&_q2=52&_q3=156&_orderBy=name
CAPTCHA: Mummy ate my monster!
Admin
A better analogy is that they put the key in a park but forgot to put the door!
Admin
It is 'should have' not 'should of'. Otherwise the posting could use a little more white-space, perhaps the odd paragraph break.
Admin
Isn't there a function to disallow comments on an article?
Admin
interesting that the code they took is called "Cut-N-Paste JavaScript" but then says it has a copyright. Does he want the code to be copied or not?
Admin
Hey Franz...
To clarify the term Public Domain usage. I am aware that the content of the page is copyright protected, however the usage of the content is not. As long as an individual were to give credit and reference the source, which has been done in this instance, it is not protected by any other means. Why is this true? Because the information (code) was sent to an individuals internet browser on request without requiring special security or authentication to acquire it. In other words it has been provided without charge or special privilege into the public domain.
If you disagree please be kind enough to elaborate.
Respectfully Submitted,
Admin
Yay :D
[ http://www.federalsuppliers.com/warning.html ]
<!-- // **** You WILL NOT get access without a valid password **** var suffix = ".html" // **** javascript:IPcatch:subject?Source_code_violator **** var pass_msg = "Password: "; function go_there() { location.href = document.pass_form.pass.value + suffix; } document.write('<form name="pass_form" onSubmit="go_there();return false">' + pass_msg + '<input type="password" name="pass" size="20" value="">' + ' <input type="button" value="Verify" onClick="go_there()"></form>'); // -->Admin
lmao. Yeah. Glanced at the code and the first thing I thought was "just rabbit the damn list page" http://www.google.com/search?q=site%3Awww.federalsuppliers.com)
Seventh link on the list.
XD
These guys are pro. It's kind of fun to use their little 'password' box to navigate to various pages around their site.
If they get paid that much for each client then they ought to get a webmaster that can handle a little server-side code. FFS...
Admin
http://www.federalsuppliersguide.net
Admin
I get calls from them. Their sales people call me and start off with some absurd question like, "would you accept a no-bid contract for up to $100,000" or something like that. They won't stop reading their script when I try to interrupt them with some question like, "are you calling from a federal agency?" I've never signed up with them, because everyone knows, or should know, that Federal buyers shop on GSAAdvantage, and GSAAdvantage is free for all GSA contract holders.
Admin
What's up with this form?
http://www.federalsuppliers.com/form.html
I can't figure out where I'm supposed to enter my company name.
Admin
It's "secure" now because you need an unique password. If you type something it redirects you to a non-existing page.
But hey, wait... Let's just try something... What about "test"?
Uh-oh. What? It worked.
Admin
Back when I was an over the road trucker (I came off the road in 2002), all I had to do to listen to cell phone calls was turn on my Bearcat 800 scanner and set it to frequency roam. I was always picking up cell phones, especially in the 800 - 900 mHz range. I didn't even have to tweak the scanner; it worked that way right from the factory.
Admin
they may have held a gsa but that ended more than 7 years ago....they don't tell you probably 90% of companies never get a single call from thier guides..thats why they dont want you contacting thier clients most sign up for a year and never again.once they realized they were duped....thank god new companies are formed every year(pool of new suckers) once they take your money and put a ad in thier guide thier job is done.as someone who worked for them before...just like first commentator...we know all the lies they have people tell to get your money
Admin
Everything always seems to happen in pairs... Here's another company now accusing someone of "hacking" their site, just because they found a URL that wasn't secured:
hxxp://www.dslreports.com/shownews/MobiTV-Threatens-HowardForums-Shutdown-92429
Admin
I entered 'test' just to see what it would do if I got the wrong password. Turns out it was the right password. WTF indeed.
Admin
You're kidding right? You can't even start your sentences with a capital letter or use an apostrophe and your comment is filled with typos characteristic of the way teenagers write ("should of"? Get outta here!), how do you want to be taken seriously?
Admin
Can we stop this now?
Can we stop that now?
Admin
rofl?
Anyone could make their site secure, even a 13-year old. And I'm not just saying that because I'm thirteen, too. :P There must be people 9 or 8 years old who can protect these websites.
It's a shame - I hope that if any legal situation arises (and it seems to already have) that they are proven wrong. I saw a comment here about google search returning the "secret" page - that doesn't seem too smart.
Interestingly, the design of the website isn't too bad - I like it. But the programming beneath it sucks, and I'm not bringing any news to the table.
Admin
listing gives you how to USE the guide, gallery gives you the guide ITSELF. Basically the password is just the name of the file the guide is, so go to google and type in inurl:federalsuppliers and it will give you all of the "passwords" you need.
Admin
Scratch that, all you need to do is go to federalsuppliers.net. In order to secure their website, they changed the domain and made a new login page as a diversion. Real sneaky.
Admin
sorry(again) but I don't have an edit button. Maybe you can clean this up later. It is federalsuppliersguide.net
Admin
Now moved to the oh so secret location of agents.federalsuppliers.com/agents.html no password required
Admin
Another quirky thing I noticed: that sample ad they sent you has a recent copyright notice at the bottom... but the ad is from 1986.
Delcowire has been in business for 12 years! That's right: since 1974.
Admin
Note to Federal Suppliers Guide: you don't need to do anything complicated. You don't need a database, and you can stick with plain old HTML on your server. Just use standard password authentication for this section of your website.
Google something like ".htaccess user authentication" to find instructions.
It seems like you're hosted with RackSpace -- pretty expensive for what you actually need! ..but I'll bet they'd be happy to set it up for you if you're having trouble.
I'd suggest giving different clients different passwords, but you can even just go back to one username & one password (just choose them carefully).
Admin
Love the "wasted money" graphic they have on their front page ---- seems pretty appropriate for their services.
Admin
Saw that same thing in the code but get this. They are just appending whatever you type in the "password" box to a redirection on the server. To get in, just type in the word test and wham you can search their database of ads. Has their programmer seriously never heard of SERVER side authentication? I mean come on.
Admin
they are getting smart rightnow lol ... :p
Admin
hehe .. !! is very simple to see what page is going to be the ****.html
google "site:officers.federalsuppliers.com" you will find a lot of pages if the page has taken offline you still can view it on cache.. these post is very funny while they will never scape to google cache until they made a full site re-implementation
Admin
Whats funny is network security consultants aren't that expensive for an operation thats that "large". You also know that their not defrauding you cause they would have more common sense if they were.
Admin
He grabbed that new fancy password code from a geocities site and didnt give the author credit... classy!
http://www.geocities.com/o3wishes/TIPS.html
Admin
Man, these guys are ON TOP OF THINGS! As soon as someone finds the new way to access the list, IT CHANGES!
Wait, what does that mean for people who paid to be listed on the site?
It must be hell to deal with these people.
Admin
http://www.federalsuppliers.com/listing.html
Admin
You fail.
Admin
This make me laugh real hard. Reading the comments i thought that this is just a joke. So i tried to open the site.
http://www.federalsuppliers.com/warning.html
looking at the "secure javascript code" it made me realize that it is quite secure... but my grandmother told me that i should type "listing" in the password input fields.
what is this any federal listing anyway?
Admin
Your a tool no one in your company cares if you have been hacked also you said you held that means it is past tense so you no longer have it and the comments were truthful this is some ones opinion so that is fact and if you want your website "Hacked" get real security so it will be fun to rip your site up and go ahead and pull my info I have randomized my info and am will probably come up as being a twelve year old girl
Admin
Bob, learn2type. And in-ter-punc-tu-ate!
Admin
A clever way to disguise the name of the page in a password: http://www.federalsuppliers.com/listing.html
Admin
dear fsg,
i think its time to hire someone to upgrade your site to beef up your security, even if it's just your secure area.
Admin
I just wanted to say thank you to the Daily WTF for this article. Recently I started a new company and we filed with the CCR, just before I read this article. Only one day after filing I received a call from...guess who...Federal Suppliers. I respectfully told them I had not interest in their "product."
Thanks again for saving me time and money.