• DOA (cs)

    What was the site URL again?

  • **JdFalcon04 (unregistered)

    Sweet, now I have Alex's credit card number! Crap, it got rejected...

  • veggen (unregistered)

    Too broken to hack.

  • Mike Caron (unregistered)

    inb4TRWTFisPHP (even though the choice of language has nothing to do with anything)

    At first, I assumed that this was happening AFTER the log-in procedure, but I can see now that this is not the case.

    Even scarier, if this is actually the case, it would appear that it grants admin access BEFORE validating the credentials... Yeah, what site is this again?

  • Drew** (unregistered)

    It's not working right...

  • Rodnas (unregistered)

    When does the hurting stop?

  • Steenbergh** (unregistered)

    In fact, TheDailyWTF runs on similar software. I expect a deposit of $200,000, or the lights go out...

    You can find my bank account details under payment/data.php

  • My Name Is Missing (unregistered)

    I once worked on a contract at a University and found the login page put the username and password into a URL and did a GET to login. Plus for fun, I found one could delete all the records in the database by editing the URL. This database was used to justify all the payments from the state for their entire budget. Oopsy.

  • Nico (unregistered)

    Security through obscurity. Nothing wrong with that, right?

  • J.R. Blood (unregistered)

    Buh....

    /me eyes KB /me targets KB /me aligns head with KB /me starts to slameknmn234398ym a 4xjkrdfxc ujkigvcf jmkrdfex8ioghv**

    Whoa! Admin access! Coo!! Maybe I should have used a simpler method of getting a random username than having to use jmkrdfex8ioghv

  • Steve* (unregistered)

    HA HA, now I'm a admin here!

  • NetBiter (unregistered) in reply to My Name Is Missing
    Comment held for moderation.
  • bob171123 (cs)

    These two issues can be explained easily when you know the previous admin wanted to make his app as transparent as possible without revealing the source code. The double stars mean that user is double special and can act as an admin. The access to admin payments is another attempt at transparency. You have to learn a little more about his intentions before you call it a WTF.

  • Anonymous (unregistered)

    Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page. What sort of idiot looks at the requirements for an enterprise web-app and thinks to himself "this is perfect for Personal Home Page (it will be just like my Geocities site!)"??

  • Anonymous (unregistered)

    You do realize PHP hasn't stood for "Personal Home Pages" since 1997, right?

    And PHP is plenty fine for large scale applications, just as C is. It just depends on having a coder that isn't completely retarded. But then so does JSP, Java Servlets, or asp.NET.

  • Mr.Googler (unregistered)
    Comment held for moderation.
  • ** SR (unregistered) in reply to Anonymous
    Anonymous:
    Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page. What sort of idiot looks at the requirements for an enterprise web-app and thinks to himself "this is perfect for Personal Home Page (it will be just like my Geocities site!)"??

    Nonsense. Choosing a moron to develop this is the issue - it has nothing to do with the plaform.

    And Alex - this is straight to Classic TDWTF. If this reappears on, say, Wednesday I'll be more than happy.

  • Top Cod3r lookout society (unregistered) in reply to Anonymous

    I thought PHP stood for programmers hacking porn.

  • C# Man (unregistered) in reply to Anonymous
    Anonymous:
    Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page. What sort of idiot looks at the requirements for an enterprise web-app and thinks to himself "this is perfect for Personal Home Page (it will be just like my Geocities site!)"??

    I believe Facebook is written in PHP.

    Though PHP does have a reputation for attracting a lot of hacks and amateurs, it does ultimately come down to the competance of the developer, NOT the technology.

  • Zylon (cs) in reply to Top Cod3r lookout society
    Top Cod3r lookout society:
    I thought PHP stood for programmers hacking porn.
    No you didn't.
  • phargoth (unregistered) in reply to bob171123

    Sorry but... we are talking about Credit Cards Numbers and payments etc... the last thing that this should be is transparent. in my country we have a saying that is "the hell is full of good intentions", and this is one of those cases.

  • You sir, and idiot (unregistered) in reply to Anonymous

    Don't blame the gun, blame the shooter.

  • evilspoons (cs)

    Wow.

    Wow.

    My brain has locked up. That was too retarded for 8:30 on a Monday.

  • C# Man (unregistered) in reply to phargoth
    phargoth:
    Sorry but... we are talking about Credit Cards Numbers and payments etc... the last thing that this should be is transparent. in my country we have a saying that is "the hell is full of good intentions", and this is one of those cases.

    Sorry to be a pedant, but I thought the phrase was...

    "The road to hell is paved with good intentions"

  • bjolling (cs)
    Alex Papadimoulis:
    There are several different magnitudes of complexity that can be involved with an administration module, ranging from the full-on set of tables including users, groups, roles, tasks, operations, etc., to a simple IsAdmin column on the users table.
    There is nothing hard about creating full-on administration functionality. Let your domain administrators create, manage and maintain the necessary groups and roles inside Active Directory. In code use IsUserInRole to check what a user can do and use AzMan to perform authorization.
  • toth (cs)

    You guys are all wrong. This is totally secure. Now, if it were ONE star, then THAT would be insecure. But TWO stars? Now, who would ever guess that??!!

  • PHP Man (unregistered) in reply to bjolling
    bjolling:
    Alex Papadimoulis:
    There are several different magnitudes of complexity that can be involved with an administration module, ranging from the full-on set of tables including users, groups, roles, tasks, operations, etc., to a simple IsAdmin column on the users table.
    There is nothing hard about creating full-on administration functionality. Let your domain administrators create, manage and maintain the necessary groups and roles inside Active Directory. In code use IsUserInRole to check what a user can do and use AzMan to perform authorization.

    OK, I'm a LAMP developer (Linux, Apache, PHP, MySQL). What the hell is Active Directory?

  • Steenbergh (unregistered) in reply to evilspoons
    evilspoons:
    My brain has locked up. That was too retarded for 8:30 on a Monday.

    Good thiong then that it's 3:30PM here...

  • Patrick (unregistered) in reply to Anonymous
    Anonymous:
    Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page...

    Yes, writing an application in Personal Home Page is stupid, especially considering it doesn't even support database connectivity. Now, Imma let you finish, but this PHP is Hypertext Pre-Processor, which is the best web language of all time!

    (I'm sorry, I couldn't help it...)

  • I Collect Spores Molds and Fungus (unregistered) in reply to PHP Man
    PHP Man:
    bjolling:
    There is nothing hard about creating full-on administration functionality. Let your domain administrators create, manage and maintain the necessary groups and roles inside Active Directory. In code use IsUserInRole to check what a user can do and use AzMan to perform authorization.

    OK, I'm a LAMP developer (Linux, Apache, PHP, MySQL). What the hell is Active Directory?

    Imagine a single Twinkie represents all the WTFs ever created in LAMP. Active Directory itself would be a Twinkie 35-feet long, weighing approximately 600 pounds.

  • toth (cs) in reply to PHP Man
    PHP Man:
    bjolling:
    Alex Papadimoulis:
    There are several different magnitudes of complexity that can be involved with an administration module, ranging from the full-on set of tables including users, groups, roles, tasks, operations, etc., to a simple IsAdmin column on the users table.
    There is nothing hard about creating full-on administration functionality. Let your domain administrators create, manage and maintain the necessary groups and roles inside Active Directory. In code use IsUserInRole to check what a user can do and use AzMan to perform authorization.

    http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

    OK, I'm a LAMP developer (Linux, Apache, PHP, MySQL). What the hell is Active Directory?

  • ObiWayneKenobi (cs) in reply to I Collect Spores Molds and Fungus
    I Collect Spores Molds and Fungus:
    Imagine a single Twinkie represents all the WTFs ever created in LAMP. Active Directory itself would be a Twinkie 35-feet long, weighing approximately 600 pounds.

    That's a big Twinkie!

  • Patrick (unregistered) in reply to PHP Man
    PHP Man:
    bjolling:
    Alex Papadimoulis:
    There are several different magnitudes of complexity that can be involved with an administration module, ranging from the full-on set of tables including users, groups, roles, tasks, operations, etc., to a simple IsAdmin column on the users table.
    There is nothing hard about creating full-on administration functionality. Let your domain administrators create, manage and maintain the necessary groups and roles inside Active Directory. In code use IsUserInRole to check what a user can do and use AzMan to perform authorization.

    OK, I'm a LAMP developer (Linux, Apache, PHP, MySQL). What the hell is Active Directory?

    Some bloated crap Micro$oft made to give admins job security. Basically, every function of an application is a "task", Users can be assigned multiple "roles" and if that role can perform a specific task, then permission is granted. Some tasks can be performed by more than one role, and if lots of users are given the same roles, the roles can instead be assigned to a "group" that the users then become "members" of. Administrators have access to all roles, so only one administrator account is needed - in case you lose the user with the role of assigning roles.

    Woo. So, that's the simple version. And then in the code you can accidentally make something that completely skips the role check, and everyone can access it. Among other problems.

  • tim (unregistered) in reply to C# Man
    C# Man:
    Anonymous:
    Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page. What sort of idiot looks at the requirements for an enterprise web-app and thinks to himself "this is perfect for Personal Home Page (it will be just like my Geocities site!)"??

    I believe Facebook is written in PHP.

    Though PHP does have a reputation for attracting a lot of hacks and amateurs, it does ultimately come down to the competance of the developer, NOT the technology.

    just because PHP doesn't stand for personal home page doesn't mean it is suitable for anything other than personal home pages any more than microsoft "enterprise" software is suitable for enterprises - in fact, PHP's complete unsuitability for personal home pages is testament to that fact. Hint: PHP is not suitable for anything, full stop. and yes I have build PHP web sites

  • SoaperGEM (unregistered) in reply to Anonymous
    Anonymous:
    Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page. What sort of idiot looks at the requirements for an enterprise web-app and thinks to himself "this is perfect for Personal Home Page (it will be just like my Geocities site!)"??

    Well, Facebook's one example. They seem to be doing alright.

  • hobbes** (unregistered) in reply to tim
    just because PHP doesn't stand for personal home page doesn't mean it is suitable for anything other than personal home pages any more than microsoft "enterprise" software is suitable for enterprises - in fact, PHP's complete unsuitability for personal home pages is testament to that fact. Hint: PHP is not suitable for anything, full stop. and yes I have build PHP web sites
    So...the name is what makes a language suitable or not? Because thus far, that's the only criteria you have offered by which to judge PHP.

    A poor craftsman blames his tools.

  • Nick (unregistered) in reply to tim
    tim:
    C# Man:
    Anonymous:
    Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page. What sort of idiot looks at the requirements for an enterprise web-app and thinks to himself "this is perfect for Personal Home Page (it will be just like my Geocities site!)"??

    I believe Facebook is written in PHP.

    Though PHP does have a reputation for attracting a lot of hacks and amateurs, it does ultimately come down to the competance of the developer, NOT the technology.

    just because PHP doesn't stand for personal home page doesn't mean it is suitable for anything other than personal home pages any more than microsoft "enterprise" software is suitable for enterprises - in fact, PHP's complete unsuitability for personal home pages is testament to that fact. Hint: PHP is not suitable for anything, full stop. and yes I have build PHP web sites

    You're an idiot. PHP is plenty fine. It comes down to whether you are competent enough to harness the capabilities of the language.

  • yetihehe (unregistered)

    Hey, it's still better than one student's site, where admin interface was phpmyadmin. The user (old lady in reception) had to edit tables and write html code... just briliant.

  • Bim Job (unregistered) in reply to hobbes**
    hobbes**:
    just because PHP doesn't stand for personal home page doesn't mean it is suitable for anything other than personal home pages any more than microsoft "enterprise" software is suitable for enterprises - in fact, PHP's complete unsuitability for personal home pages is testament to that fact. Hint: PHP is not suitable for anything, full stop. and yes I have build PHP web sites
    So...the name is what makes a language suitable or not? Because thus far, that's the only criteria you have offered by which to judge PHP.

    A poor craftsman blames his tools.

    <grammar nazi>criterion</grammar nazi>.

    You were doing well there, right up to the platitude. There are things that PHP is good for (not necessarily best for, but good for); the OP is clearly not one of them. Now for the platitude.

    When people say "A poor craftsman blames his tools," they are generally ignoring the following:

    (1) The original meaning of this phrase is that a good craftsman would have sharpened the tools, greased the wang-nuts, and generally taken more care. It isn't immediately obvious how this applies to the choice of PHP. (2) Should your choice of tools ("Look! I have a hammer! It must be a nail!") be inappropriate, a good craftsman will upgrade their tool-set. (3) On the unlikely assumption that the good craftsman was, in this, case, forced to use a totally inadequate tool, much against their will, then a good craftsman will do the best f**king job they can -- and then leave, for a job where they can use proper tools.

    The guy in the OP is, however, simply a Tool.

    Best find a more credible defense for the 99.999% of PHP programmers out there who should be doing something more useful, like crocheting.

  • Steve-O (unregistered) in reply to Nick
    Nick:
    tim:
    C# Man:
    Anonymous:
    Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page. What sort of idiot looks at the requirements for an enterprise web-app and thinks to himself "this is perfect for Personal Home Page (it will be just like my Geocities site!)"??

    I believe Facebook is written in PHP.

    Though PHP does have a reputation for attracting a lot of hacks and amateurs, it does ultimately come down to the competance of the developer, NOT the technology.

    just because PHP doesn't stand for personal home page doesn't mean it is suitable for anything other than personal home pages any more than microsoft "enterprise" software is suitable for enterprises - in fact, PHP's complete unsuitability for personal home pages is testament to that fact. Hint: PHP is not suitable for anything, full stop. and yes I have build PHP web sites

    You're an idiot. PHP is plenty fine. It comes down to whether you are competent enough to harness the capabilities of the language.

    An extremely skilled craftsman can build a house with enough cardboard and duct tape... but should he?

    I'm not against PHP as a language for enterprise scale websites, just the argument of 'it takes a competent developer' is weak. Very weak.

  • PHP Man (unregistered) in reply to Bim Job
    Comment held for moderation.
  • Indrora (cs)

    TRWTF here is that instead of using, oh i dont know, a boolean in the database (See below...) they've decided that its ok to just drop things in. cough guess it went to the lowest bidder.

    My note on databases: I've done database work for authentication. It can be quite useful. However, if you're going to use a database to authenticate your users, make sure its behind some form of NAT. Beside your webserver behind a NAT. I saw once a table that almost generally met the requirements for a moderately secure system:

    -----------------------------------------------------------
    name                   type    len
    uname                  STRING  32
    uname_hash             STRING  512
    uname_isAdmin          BOOLEAN 1
    uname_isSuperAdmin     BOOLEAN 1
    pass                   STRING  1024
    pass_hash              STRING  1024
    ------------------------------------------------------------
    

    the password was (gasp) plaintext. isAdmin and isSuperAdmin showed if the user had admin priveledges and could use sudo (under SSH, which every night a cron job kicked in to update sudoers). However, pass_hash had a particular quirk: it was the SHA-512 of the password, concat'd to the hash of THAT hash. so 512 bytes of SHA1, then 512 bytes of more SHA1.

  • Capt. Obvious (cs) in reply to Mike Caron
    Mike Caron:
    At first, I assumed that this was happening AFTER the log-in procedure, but I can see now that this is not the case.
    If that was the case, I can see it being less WTFy (from a final result/security POV. Still Dumb.) If '**' in a username meant admin (requiring admin access to set up) and it did the authentication first, it would at least be secure. I can see then removing the metainformation before saying "Welcome Joe**".

    Of course, upon reflection, he wouldn't have done that. But it was my initial and charitable view.

  • James (unregistered)

    So speaking as a desktop-app programmer who's only just starting to do more web development: if PHP is so evil, all you naysayers, what should I be using? (If anybody comes back with "JSP" I'll laugh them off the site).

  • Heron (cs) in reply to Steve-O
    Steve-O:
    I'm not against PHP as a language for enterprise scale websites, just the argument of 'it takes a competent developer' is weak. Very weak.

    I'd argue that "it takes a competent developer to write non-WTF-worthy code" is a universal truth, rather than a language-specific observation.

    I would also argue that there's no such thing as a WTF-proof language.

    Sure, some languages make it easy to write WTFy code. Visual Basic is one example. PHP is another. But used properly, both languages can be useful tools.

    I'm not saying "everyone should use PHP"; I don't think that's the case. I'm just saying if you want to avoid WTF-worthy code, language choice should be the last thing you're concerned about, not the first.

  • Heron (cs) in reply to Indrora
    Indrora:
    However, if you're going to use a database to authenticate your users, make sure its behind some form of NAT. Beside your webserver behind a NAT.

    I think you mean "firewall", not "NAT". While NAT can often act like a firewall, it isn't a firewall, and is not a replacement for a firewall.

    There's no need for NAT if your firewall is set up properly (and NAT is often undesirable). Want to avoid people connecting to your database server? Set your database server's firewall to only accept incoming connections from your webserver's IP address.

  • denierLexiese (unregistered) in reply to ObiWayneKenobi

    What issues do you have with active directory?

  • Bim Job (unregistered) in reply to PHP Man
    Comment held for moderation.
  • Heron (cs) in reply to Bim Job
    Bim Job:
    Can we have a detailed argument as to why MUMPS (Oh, Poo!) is somehow inferior to PHP? I wouldn't choose either, myself (and I've worked with both). Intrinsically, either would work. Extrinsically, neither is a good choice.

    I think it would be easy to argue that for web development PHP is a better choice than MUMPS, given that PHP was (ostensibly) designed for web development, whereas MUMPS was not.

    That said, I'd agree that most people who write PHP nowadays should take up some other non-computer-related hobby instead.

  • gray goat (unregistered) in reply to Bim Job
    Comment held for moderation.

Leave a comment on “Starring The Admin”

Log In or post as a guest

Replying to comment #:

« Return to Article