- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
It only asks for confirmation when you are root, and that's because most shells set the -i (interactive) option as an alias for rm in the default profile rc file. This is why you need to use -f while root to delete an entire directory tree. The idea is that when you are root, you have the power to delete the entire filesystem, so better set interactive mode as default.
-dZ.
Admin
I'll probably get some heat for this, but I actually like PHP. Unfortunately it's morons like this who propogate the stereotype that PHP is for newbies and shouldn't be used for "real" sites. Of course you can screw up in any language, I guess PHP just makes it easier. I've done a lot of different sites and never saw the need to use exec()...I'm sure there is one I just can't think of it. I feel sorry for Edward having to read 10 hours of that crap, I guarantee there was plenty of global variables as well...(blech)
Admin
nope. check your profile rc file and probably rm is aliased with -i for interactive mode. This is usually on the root profile only, though.
-dZ.
Admin
Admin
I hate to be pedantic here, but...
John Connor: Did you terminate all those files?
Terminator: Esta la Vista, baby.
"Esta la Vista" doesn't really mean anything, unless, badly translated, you interpret it to mean "this is the view."
You were thinking "Hasta la vista," which is "goodbye," or "until I see you" (or you see me, or we see each other--it's a colloquialism that doesn't really have a literal translation).
Actually, I don't hate to be pedantic.
Admin
:-O Um, the fact that we're reading about the result pretty much proves it does work. BTW, you're thinking of "rm -i ..."
This really isn't a colossally huge, blindingly stupid WTF. It's just your average, everyday, stupid code-monkey sort of WTF. Not bothering to sanity check before relying on a variable's contents? Go back to school kid.
Admin
I have seen this in actual production Java code:
public void copyFile(String filename1, String filename2)
{
try {
if (System.getProperty("os.name").indexOf("Windows") >= 0)
Runtime.getRuntime().exec("copy " + filename1 + " " + filename2);
else
Runtime.getRuntime().exec("/bin/cp " + filename1 + " " + filename2);
} catch (IOException e) { }
}
Admin
How did edward have access to the source code of the application?
Admin
<FONT face=Tahoma>They should have placed this message in the site.
"This page will self destruct in 5 minutes (or until your session times out)"
</FONT>
Admin
Software that selflessly sacrifices itself to make the work a better place... nice!
Admin
Correct:
"$_SESSION['Tempfile']" # throws an error
"$_SESSION[Tempfile]" # throws a notice
"{$_SESSION['Tempfile']}" # correct
This wouldn't actually work at all:
exec("rm -r /var/public_www/$_SESSION['Tempfile']");
This would be correct:
exec("rm -r /var/public_www/{$_SESSION['Tempfile']}");
Admin
Yeah, I always check websites to see if they will delete themselves if I leave them alone for half an hour. Can't be too careful.
Admin
Not quite as the sessions are expired based upon the file timestamp, when ever the file is read it's timestamp is updated, and the files are read when you tell php to load the session (might be able to set it to auto load the session when the page loads, havn't used php in a while).
I thought php allowed you to set code that would run when a session expired? As this would be the place to do this sort of clean up code, although this wouldn't negate the argument checking.
On a side note this reminds me of some code produced by a co-worker to allow clients to browse files that we had uploaded to the site. Only the path to browse was passed in the query string, and wasn't validated. The server would quite happily allow users to browse c:\ to their hearts content. Surfice it to say, after seeing this I steered him away from all security related code and just let him design the layouts whilst I wrote all the code to make the page work.
Admin
The WTF starts here. I don't know what these guys make per month/hour, but spending months evaluating gets you through a pretty large chuck of $50,000. In the end when they went with the cheaper product, they probably spend 2-3 times as much evaluating the products as they spend on the software.
Admin
The same way the PHP interperteter gets access to it.
Admin
The real wtf is that this code exists at all. It happens every time a session times out and a user tries another action. I could see this slipping by shoddy testing, but this company must be the very first real user of the system.
Captcha = genius. I feel better already.
Admin
The obvious fix...
<font color="#000099">function</font> terminate() {
<font color="#000099">exec</font>(<font color="#990000">"rm -r /var/public_www/$_SESSION['Tempfile']"</font>);
//added to fix weird bug
if(isEmpty(<font><font color="#990000">$_SESSION['Tempfile']</font></font>)) {
exec("cp -R /var/backup_public_www /var/public_www");
}
}
Admin
Well I know that the problem arises whenever the string is empty, but technically you should rather use "isset()" rather than "!empty()" to check if the session variable expired. It's probably not the case here but empty(0) returns true.
I suspect that missing curly brackets are the clue leading to something more sophisticated in the original code. Maybe they have had a whole temp directories for each user/session (bad variable naming, though) - that would explain the origin of " -r" (you should use rmdir() for that, though - unfortunately the directory must be empty [but empty in the other meaning than presented in this very WTF], which often pisses people off, as it requires a full scan and deleting files one-by-one [or so it seems]).
Finally I must admit that this is not so obvious for me after the first reading that there is a thread of variable expiration - it's a bit counter intuitive. However, it is obvious that the variable could be never set at all, so why nobody checks for that? I mean: if the code assumes that this field is always set, how did it manage to run at the first connection, when there is no session? I'd guess there must be some place in the script that checks if( there is no session ) {build some default session info}, so there must be something screwed up with this test and I'd like to see it!:)
Also, as mentioned earlier, most often the script fully controls the content of the session variables, so it is not-so-insecure to use them inside exec(), but why risk?
Admin
So what exactly is the WTF here? Is it
a) That the code deleted the entire /var/public_www directory,
b) The vendor refused to consider the possibility that there could be something wrong with the program (and claimed that it was 'hack-proof')
c) That PHP lets that line execute (shouldn't it throw an error or something if you try to use a variable that doesn't exist?)
or d) That no one (at least as far I know, its possible they didn't include this in the submission) has driven down to the vendors office and beaten the crap out of him?
Admin
I dunno if it's different in a chroot, but I just tried it and rm happily wiped my chroot out.
Admin
So deliciously horrible... scary, amazing.... speechless.
Admin
OMG!!!!! i am speachless..
Admin
Is there any other (moderately simple, at least) way of copying a file with all its security attributes and metadata in Java?
Admin
Talk about write-once run anywhere!
Wait, it doesn't work on Mac OS9?
Admin
Regarding race-condition, I don't think it'll really happen.
I'm not a PHP programmer, but in general the session-expire time would be renewed whenever the client post something to the server, wouldn't it?
Admin
IMHO the true WTF here is the 'exec'. Why would I ever want to 'exec' something that can be done in like 10 lines or pure code? Duh!
captcha = awesomeness - what a stupid word
Admin
This is, like, the WTF of the month at least.
Admin
Runtime.getRuntime().exec("/bin/cp " + filename1 + " " + filename2);
wouldn't copy metadata or security attributes as cp is defined in the Single UNIX Specification. You need the -p switch for that.
Admin
The result would depend on the OS and the particular version of rm being used. Some versions of rm will just refuse to do a recursive delete on root. Others will all too happily trust the judgement of the user.
Admin
In spanish, H's are usually muted (have style="display: none;" set on them), hence "Hasta" is often heard as "'asta" (or in the case of a really bad accent, "'esta").
I was always under the impression (thanks to my secondary school spanish teacher) that "Hasta la vista" meant "I'll see you when I see you", and that you should really use "Hasta Luego" or "Hasta Mañana", meaning "I'll see you later" and "I'll see you tomorrow" respectively. Though Mañana is a slippery one that can mean (in it's colloquial terminology) "Tomorrow, or sometime after that".
And I've got my +5 Mantle of Pedantry on. :)
Admin
From time to time, PHP will check what sessions should expire, delete their tempfiles and clear their variables. So when the user comes back half an hour later PHP opens a new empty session which you are right will not time out. So checking out if what you thought you put in $_SESSION is still there, you'll know if the session expired or not.
As people pointed before, you can save pretty much anything you want in your session and PHP takes care of the cleaning.
Admin
In which setup does "$_SESSION[Tempfile]" throw a notice?
It is perfectly legal php code. Since the key Tempfile is already qouted once(In the outer string) it doesn't need to be qouted again.
And to the guy that suggested that
if(exists($_SESSION['Tempfile'])) /Use $_SESSION['Tempfile'] here/
should be a race condition is wrong. $_SESSION[] is copied into the program so even if another thread or process should get cpu time the data will still be there when control returns.
Admin
Ideally that would be true, but beware of injection bugs. As you say, it's best not to risk it.
Admin
"That would introduce a race condition. if it tested that at 24 minutes 59.99 seconds then the session expired and interupt was sent and session became undefined the same thing is going to happen. granted there is a very small chance for it to happen. but remember, if something can go wrong, it will."
As already mentioned, because of the way PHP handles it there wouldn't be a race condition. However, it's also very easy even if it didn't handle them like that to avoid the race condition:
<font face="Lucida Console" size="2">$tempFile = $_SESSION['Tempfile']);
<font color="#000000">if (!empty($tempFile))
</font></font><font color="#000000">exec(</font><font color="#000000">"rm -r /var/public_www/</font><font color="#000000" face="Lucida Console" size="2">$tempFile</font><font color="#000000">");
Which effectivly mimicks what PHP already does :)
</font>
Admin
No, PHP will not treat undefined variables as NULL. They're just undefined. Infact if you try to get the value of an undefined variable a properly configured PHP installation will issue a Notice. I'll just assume that this installation wasn't properly configured.
Admin
Instead of checking if the session is expired, why not use:
If (strlen($_SESSION['tempfile']) > 0) ...
because you never know when some jackass will store "" or worse in $_SESSION['tempfile'].
Admin
a _real_ php-coder turns all that annoying notices and warnings off. in the end that's the reason he chose to use php: don't care for error - add weird code until it seems to do what it should...
p.s.: my CAPTCHA test string for this post was: billgates
Admin
There is no such thing as good luck. There is only misfortune and its occasional nisfortune.
Admin
So what happens when when a black hat submits a query with the session variable Tempfile set to '*'?
You need a lot more checks than just empty().
Admin
In order to have a race condition you must have shared memory. $_SESSION is not shared. It is copied into the process before any PHP code is executed. So here a race condition is impossible.
Admin
or simply
exec("rm -r /var/public_www/".$_SESSION['Tempfile'])
Admin
Well, I'm nitpicking here, but the data inside the session is controlled by the script, and not by the end user. The user will have a cookie with a session ID, which may be stored in the cookie. Modifying that value however will just make it invalid, and not alter any of the data associated with the session.
The tempfile would hopefully be set with
$_SESSION['tempfile'] = mktmp();
In order for the black-hat to modify it, it would have to be actually provided by the browser, i.e.
$_SESSION['tempfile'] = $_POST['tmpfile'];
and a <input type="hidden" name="tmpfile" value="blahblah231432.tmp">
which is unlikely.. (but I would not be surprised if they really did that.)
Admin
That's not nitpicking, it's simply the correct answer.
Admin
You're joking, right? Even by dodgy php code standards, this is very, very bad.
Admin
Actually, it seems odd to have the web directory write-able by the server, anyway.
Admin
None of it? Oh well. In Windows you'd need to "copy" to for example easily copy over multiple file streams (in which some metadata resides). Though actually to copy things like timestamps and permissions does require something other than plain "copy".
Admin
The real WTF here is someone paid $5K and never reviewed the code they bought. How many of you would gladly accept $500 to rifle through some php code looking for sick crap like that.
The secondary 'holy crap' is that their php.ini is surely a WTF case as well, for exec() access on a production server is a freakin' no-no to begin with (Ever hear of Cron Jobs or Scheduled Tasks??)
Third, rudimentary php is that any superglobals (Session/Cookie/Posts/Gets) should always be checked for definition ("undefined index") before calls to them.
Lastly, this one made me really chuckle:
P.S. I proved I was human by typing 'batman' in the captcha. :)
Admin
:-)
Admin
<sarcasm> Nothing wrong here, the terminate() function acts as intended: it totally [ex]terminates the application. </sarcam>
Admin
Note that there is probably another bug lurking here.
The session variable was blank because it had been timeout terminated--but was the temp stuff cleaned out when this happened? I suspect this code builds up garbage until you get a disk full. It's probably slow enough that nobody would have noticed it, though.