- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Reading that code made my lunchtime :) Beaming smile across my face at the insanity of it. No conditional nested If blocks, no database use, badly named variables, no inclusion of security header on target pages... just beautiful.
Admin
That's completely insane - firewall?
But I have to agree - lunch is improved with a novel (simple) wtf...
Admin
I guess they should be greatful it's not all on one line. Seriously though, that's impressive. Sometimes you have to wonder how these people survive a day. It never occurs to them to think "there has to be a better way than this."?
Admin
Better way? That's crazy talk!
Admin
And now we know to try http://www.stupiddomain.com/private/index.asp
if we get an error on their main site. Nice - we can all read the content. I wonder if they turned off the ability to browse directories?
Admin
Unfortunately, looking at Google, there are no easy-to-locate culprits; rather, we see: Results 1 - 30 of about 136 for inurl:private/index.asp. (0.29 seconds)
And that's assuming that part of the URL wasn't anonymized at.
Admin
dreadful, just dreadful. Not only is the design and architecture laughable, theres redundant code everywhere.
i would feel very comfortable saying that this is the work of a tech-boom business major html-er turned programmer.
Admin
Seriously, use the same trick on "secret/index.asp" and "secure/index.asp" ... how do you know the URL isn't anonymized?
Admin
Hey! Try it with "protected/index.asp" wow!
Admin
For a while I was thinking all that ip = foo was assignments! THAT would be a complete WTF!
Although, I do think that mixing the assignment operator with the test-equality operator is a small WTF in itself.
Admin
They should have used JavaScript, much more secure that way I hear.
Admin
That's VB for you...
Admin
Admin
"dubya", said Captcha. I was going to write something here, but that summarizes it more effectively than I ever could have.
Admin
The fourth link for that search is a page (The Tax Club) which tells me that my tax return is almost two years late! WTF?
Admin
Admin
I think I could surf the internet for 50 years and not get sick of people overreacting to sarcasm.
Admin
Admin
I'm trying to figure why they do two checks. Also not using the shortcircuit orelse operator is a waste of cycles. At least this one isn't as eye-gougingly horrible as some recent ones.
captcha: tastey (mmmmm...mmmm good)
Admin
Admin
Sometimes I wonder if literary types have the same kind of debates of their languages and writing styles? "Oh, that would have been so much more understandable in Spanish" "The REAL WTF is the leading upside-down question mark in Spanish! How can anyone take that language seriously?" "You have no idea what you're talking about! Spanish is just as serious as any other language!" "The problem with Spanish is that too many people speak it, so half of what's written in spanish is trash." "I don't know what you guys are talking about. Real writers only write in Cyrillic!"
Admin
One time, I saw a Javascript authentication system in place for the partner extranet on the Web site of a major manufacturer of fingerprint scanners and biometric security equipment.
The way it worked was, it downloaded a Javascript MD5 implementation, and a list of password hashes as a JSON object. When the onsubmit() event of the login form fired, the password input got hashed and compared against the list. If your password was in the list, the code set a cookie and redirected you to the extranet home page (which would, again through Javascript, redirect you back to the login page if you didn't have the cookie).
There was no robots.txt file (there is now), so the hundreds of precious PDF files that you supposedly needed a paid extranet account to access, linked to by the extranet home page, were available to anyone smart enough to hack the system or disable Javascript, and to anything that wasn't a Web browser, like Google's indexer bot.
The same site used Apache digest auth elsewhere, but that was compromised because the aforementioned JSON file was substantially the same list of MD5 hashes as the .htpasswd.
I'd feel really "secure" using their products. The Department of Homeland Security is one of their biggest customers.
Admin
I think the shot at VB was directed at the assignment and equality operator being the same, not at anything to do with security.
Admin
I'm assuming they're using IIS, so they completely ignored the built in IP and Domain Name restrictions. Unless of course they're hosting it on a Windows XP version of IIS which has that feature disabled, which would be a WTF in a whole other category.
captcha = cognac (hic!)
Admin
Can't belive it :) dammit.. I'd do myself ara-kiri (how the hell do you write that ?) if I'd write such as waste ;)
Admin
Admin
you rock!
Admin
A good rule of thumb might be to ask yourself, "am I writing a paragraph of text responding to a 4-word post?"
Because if you are, it's pretty obvious the original author isn't interested in a serious conversation, so you're wasting your time.
Admin
Admin
you're aware that wget can happily ignore robots.txt if you pass it the right option, aren't you?
Admin
Personally, I really hate VB but this WTF has nothing to do with VB. It has everything to do with the "coder" having severe brain damage :)
Admin
Anyone else wonder what happens if you change error=0 when you get forwarded to index.asp?
JavaScript would be almost as secure and easy to maintain (NOT secure and a nightmarish). You could only forward on success, so those with JavaScript disabled aren't automatically forwarded. You'd need a way to jumble the URL too. Someone could look at the list of IP addresses and Class C's, but there would be much easier ways to bypass this Fort Knox-like security than spoofing your IP address.
Admin
Uhm... ok not even talking about firewalls, whats so hard about a one line SQL statement? (psuedo code, since I don't do that ASP garbage)
SELECT COUNT FROM VALID_IPS WHERE IP_ADDR EQUALS ASP_VALUE_OF_IP
if(count == 1){ //yee haw } else { //redir goatse }
Admin
I don't know if reading El Quijote in Cyrillic is a good idea, at least for me that I'm spanish. And BTW, more people speak english, such a poor designed language, like Visual Basic... sorry I couldn't resist
Admin
"You have not experienced Shakespeare until you have read him in the original Klingon." - Chancellor Gorkon
Admin
This strikes me as a fairly odd way of knocking the end off a string.
Admin
VBScript doesn't have short-circuit operator. Lame, isn't it?
Captcha: dubya (zark off!!!)
Admin
That would not work for the /24-networks he is checking for.
Admin
I am sure this was translated from Aremeic before posting, because only that language is appropriate for use during sarcasm.
Admin
You could make a more apt comparison by substituting "Spanish" with "Klingon" thusly:
"Oh, that would have been so much more understandable in Klingon" "The REAL WTF is the lack of love poetry in Klingon! How can anyone take that language seriously?" "You have no idea what you're talking about! Klingon is just as serious as any other language!" "The problem with Klingon is that only Trekkie obsessives speak it, so half of what's written in Klingon is trash." "I don't know what you guys are talking about. Real writers only write in Borg!"
I think, trolls aside, we can all agree that VB is fine in its place. I think all VB aficionados would agree that this place would not be, say, in the flight control system of an Airbus. It does seem to spread like kudzu, though...
Admin
In the original code sample, each list of IP addresses was all on one line; unfortunately, that doesn't fit very well on the web page. Mea culpa for not mentioning it!
Admin
Admin
Admin
You know, I did kind of code something like that as a quick-n-dirty hack code for a message board I ran. But I did it as an IP blocker... not a form of security to allow people in!
That's just mind-boggling.
Seejay
Admin
Especially considering that the XP version only allows something like 5 concurrent connections. "Sorry surfer number 6...wait your turn"
Admin
It's not that bad if you write vb all day. If you switch back and forth between vb and C# frequently like I do, it can be lethal!
Admin
I'm just surprised Fran's web admin (or other cow-orker) didn't complain about getting haxx0red by something called "Googlebot".
Admin
Wow, that's a nice one... perfect example of how security in web apps is handled... and we care about css/xss attacks... ;)
Admin
I like how you have to scroll past dozens of existing comments to find the "Add Comment" link.
Anyway, this is a nice WTF. I read the first part (ip) and thought "ehh, not surprsing". But just when I thought it was gonna be a lame WTF today, the ip2/ip3 part cracked me up.
On the bright side, at least they came up with a way to block out subnets, without having to list each ip in the subnet individually. I am a little suprised actually.
Admin
I don't think anybody has mentioned the complete WTF nature of the fact this code does a Response.Redirect, which just tells the browser to load the /private page..... And the browser will clearly show the /private page address in the URL address bar...
So not only is this horribly written, but completely pointless.... If someone wants to link to the page they'll use the address they see in the browser, which will be the /private page anyway...
-Me