- Feature Articles
- CodeSOD
- Error'd
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Not for the first time, I think Western Education is a little up the shit...
In the UK it tends to be (b) and (b).
not only is this not valid PHP code, has misplaced "@" operator, misses ";" at the end of the line, but also makes me think this is a made up story by someone, that, well let's face it don't know PHP.
There's probably a completely innocuous explanation for that. How long did it take the poster to find it, like 15 minutes at most?
In all likelihood, this was done to get around some annoying behavior during debugging.
On a completely unrelated issue, I've got some quality snake oil to sell. I'll make you a top price!
Whats the Z word? (The Googles, they do nothing)
Also, the most popular Australian beers around here are XXXX ("four-eks") and VB. Easy to spell!
if every dishonest person were this stupid... the world would be a more beautiful place
I agree. I hope they filed the charge.
What method call?
You must be new here.
How would you know if it's proper English considering your own obvious lack of linguistic skill?
Along with that, I'm surprised he decided to dig into core immediately. I mean, getting a White Screen of Death with Drupal isn't uncommon. A quick google'd show that you'd need to raise PHP's memory limit when it happens. Typically, it won't leave anything in the logs either, since it pretty much loaded fine, but simply bails out.
Thirdly, I find it amazing that, as a contractor, that original dev. never came across the proxy problem with Drupal (Drupal core doesn't have proxy support. There're several patches for it, but it's been laying around since 2004 to be put into core). That, or the environment it had to run on, simply didn't have any proxies to pass through (which on itself is just as big a WTF)
I find it amusing, though, that Lazlo immediately went in to dig through core and didn't jump out, scarred for life. Even the core maintainers've been complaining about how rotten and impossible to maintain it is lately :D
I wish this was a made-up story. Some details were cut by Alex for legibility, but I swear the code contained something awfully much like
Oh, and by the way, if my PHP seems rusty: thanks for the compliment!
How is disabling outgoing HTTP access for a non-interactive, informational website a WTF? Seems like a very sane security measure, and one that exposed this exploit to boot.
bootstrap.inc is the very first include file that is called for Drupal, and it's not that big, and the killswitch was located halfway along the file. That, and I have written PHP code waaaay worse than this myself :)
[quote user="Laszlo"][quote user="The poop... of DOOM!"] the environment it had to run on, simply didn't have any proxies to pass through (which on itself is just as big a WTF)[/quote]
How is disabling outgoing HTTP access for a non-interactive, informational website a WTF? Seems like a very sane security measure, and one that exposed this exploit to boot.[/quote] Didn't I say NOT using a proxy on a production environment is a WTF? Using proxies's a Good Thing ;)
[quote user="The poop... of DOOM!"]I find it amusing, though, that Lazlo immediately went in to dig through core and didn't jump out, scarred for life. Even the core maintainers've been complaining about how rotten and impossible to maintain it is lately :D[/quote]
bootstrap.inc is the very first include file that is called for Drupal, and it's not that big, and the killswitch was located halfway along the file. That, and I have written PHP code waaaay worse than this myself :)[/quote] Oh, well... I'd have done a quick google myself, first. Although I do understand looking into the first included file. Sane thing as well, yet so very, very, very unbelievably stupid to put that killswitch in there! includes/common.inc or similar large, general-purpose files'd be a way better place.
Another WTF: The quoting that breaks up in here (well ok, I might have forgotten to reopen them, but still). That and the passwords on here taking stuff like #, but you're not allowed to use . or ! in your username!
You can even "hide" it with a little ROT13,
$riny = str_rot13('riny');
php you so silly.
eval() is anything but arbitrary. It provides the contractor with more than the opportunity to disable execution of a page, as he would certainly have entertained the possibility that the code snipit in question would eventually be found if he simply took the site offline. eval is there so that he can fully disable the site, not "turn it off". I would have been unsurprised to find a function that deletes most of the site documents, perhaps even the data.
captcha: ludus - I would take a crack at this one if I thought there were any Jim Butcher fans reading.
The original fake Nagesh.
I think we decided he was actually from New Jersey.
Civil hospital plenty in UK? NHS ofer free care to all and sundry.
If the eval() actually contained a call to base64_decode( blahblahblah ), then this code is a killswitch and not a backdoor.
Also, first poster, you stole the words from my fingers.
Doctors do this all the time, but instead of 'Worse Than Flatlining', they call it a 'Morbidity and Mortality Conference'. There tend to be less jokes, hidden comments, and strange fake-Indian-trolls.
Doctors have to be a little more careful about making fun of the incompetence of their colleagues. It's one thing to say, "And then this programmer screwed up and instead of the customer's name appearing on the screen, it said '{name}'! Ha ha ha!" It's a little different to say, "And then this doctor screwed up and instead of removing the cancerous kidney, he removed the healthy kidney, and the patient died the next day! Ha ha ha!"
An estimated 225,000 deaths per year due to medical malpractice (http://medicalmalpracticelawblog.com/2008/10/31/statistics-on-medical-malpractice-lawsuits/) would tend to imply that the medical profession does indeed make mistakes now and then. For some unfathomable reason, having an official piece of paper from the state on the wall does not make someone an infallible doctor.
Proofreading: this article does not haz it.
Though it's making incremental improvements since I first loaded the page.
Captcha: The proofreader was not "praesent" when this article was posted
Hey, the redaction isn't very good! You can read what it says! Ha, I bet I'm the first person to notice that!!!!
Why no, I didn't bother to read any of the previous comments - why do you ask?
Wouldn't a modification to bootstrap.inc get nuked in the next routine Drupal update?
Hacks to settings.php are the way to go, since it's the only PHP file loaded early in the process that can't be disabled by other settings, and gets preserved during updates.
Coming soon to a TV near you: "The WTF Factor"
તમે જાણો છો તે અમુક મીઠી મીઠી, પ્રેમાળ સમય છે. એકવાર તમે ગુજરાતી જાઓ, તમે પાછા નથી ચાલુ નથી!
LOL who said that to you? I hope that wasn't your doctor
(and you say he sold you those pills? And they don't help either, instead you become worse? But that's not doctor fault, take those another pills, they're cost more though)
The Real WTF is Drupal.
I'm sure the real domain has been removed to protect the aforementioned contract developer.
Perl = A programming language that looks the same before and after encryption. =)
All the doctor can do is offer advice. If that advice means taking lots of expensive pills, then it is up to you to do your due diligence to read up on what those pills actually do to you. If, having informed yourself what they do, you decide to take those pills, then it is your responsibility. If you choose not to take those pills, then again, that is your choice. If it transpires that the doctor doesn't care what the pills do beyond the fact that your taking them assures him of the lucrative back-hander from the manufacturer of those pills, then he's a very naughty man.
The alternative is to take the attitude that: you're ill, you'll either get better or you won't, and take your health into your own hands. If you haven't grown comfortable with your own skin to the extent that you can't work out whether you're seriously ill or just suffering from manflu you're clearly not evolutionally ready for long-term survival.
What makes me laugh with derision are tales of people who go to hospital with trivial ailments.
This reminds me of a story that happened to a client a few years ago. They moved from shared hosting to a virtual server. The move went pretty well, although there were a few weird things, mostly since their entire site was obfuscated with Zend Optimizer. Then suddenly 2 days after the move no pages worked anymore - and the logs showed a similar 200 response with 0 bytes returned.
The developer that worked on the site wasn't available, and since everything was obfuscated, finding the cause wasn't easy. Luckily somebody decompiled those files for me, and we found this at the top of init.php:
DNS was moved to the VPS as well, but it took 2 days for the provider's servers to update. Since the code was obfuscated (and the deobfuscated code didn't run, and the developer wasn't available), the temporary solution to get the site back online was to set apache's ServerName for the site to something that resolved to the old IP.
This forum is getting inundated with trolls. If Alex doesn't clean up, this site is going to look like a WTF.