• EvenMoreAnonymous (unregistered) in reply to History Teacher

    I'll get flamed for this, but

    History Teacher:
    As far as I can see, that would become completely sensible code with a few minor tweaks.

    You don't even really need the tweaks for this to be somewhat reasonable code, just make a few not unreasonable assumptions. First, nothing says there's not additional validation code on the server side. Secondly, assume that the code is a few years old (php has been around 15 years now), so it predates widespread browser acceptance of ajax and it's on an intranet with overseas employees on very slow expensive connections: in that case, it's often much faster to send a lot of data at once rather than force the user to re-establish a connection and post back the page. (2000 names is a bit much, but the developer could easily have said you must re-code if the user count goes over 100 and that was never done).

    Publishing the usernames is a security hazard, but not much of one if the entire list is publicly available anyway, which is pretty common. It's possible there's a giant wtf here, it's also possible this was a reasonable solution to a real problem, although it certainly needs updating like lots of code does after a decade.

    Captcha is "eros", I'm feeling lucky.

  • Val (unregistered)

    This is a call for little Bobby Tables!!

  • (cs)

    Meh. One app I had to fix let me login as ' OR 1=1 --

    Not the regular interface, that one did sanitize the login field. The one that let me use that "login" ... was the administrative section.

  • (cs) in reply to The Enterpriser
    The Enterpriser:
    Seriously.. wtf does 'admin' being the first name in the list have to do with anything? What particular sql query are Ben/Alex creating in their minds which could lead to the admin login being used as a default.
    E.g. select * from users where username = 'some username that does not exist' or 1=1 order by creation_time limit 1 --' and password = 'whatever'

    will return the first user, which usually is an admin.

    Addendum (2010-11-10 08:53): Ignore this comment -- I forgot what was written in the article.

  • Gandor (unregistered) in reply to julmu

    Looks like someone did not read the article... The only mentioned SQL in this article was $SQL=mysql_query("SELECT * FROM users"); and NOTHING more... So if i can see clearly, there is NO text concatanation to create sql query.

    Which means, that ANYONE saying, that this app is vulnarable from !SQL! injection (just by reading this article) is wrong.... BTW I did not said CODE injection or any other potentional security threat...

  • (cs) in reply to Gandor
    Gandor:
    Looks like someone did not read the article...
    I read the article but by the time I had read all the comments I had already forgotten what the article was about and didn't bother to re-read it.
  • (cs)

    This brings back memories..

    Back when doing web stuff a decade ago (yes, I'm old) I found it interesting that parts of the single source file was actually executed on three different computers - the db server, the php server, and naturally the browser.

    This was, naturally, difficult for some developers to understand, and as such I'd find folk trying to run sql on the browser or javascript on the db server..

  • Gaydor (unregistered) in reply to Gandor
    Gandor:
    Looks like someone did not read the article... The only mentioned SQL in this article was $SQL=mysql_query("SELECT * FROM users"); and NOTHING more... So if i can see clearly, there is NO text concatanation to create sql query.

    Which means, that ANYONE saying, that this app is vulnarable from !SQL! injection (just by reading this article) is wrong.... BTW I did not said CODE injection or any other potentional security threat...

    Read the article you fucking moron:

    The Article:
    ...from a security standpoint, it's not really that big of a deal, as entering a password of ' OR ''=' would log you in as the first user in the database (admin), anyway.
    It wasn't shown in the code sample but the article explicitly stated it was vulnerable. Learn to fucking read, dipshit.
  • f. (unregistered)
    "entering a password of ' OR ''=' would log you in as the first user in the database"
    I don't believe this!
  • f. (unregistered) in reply to f.
    f.:
    "entering a password of ' OR ''=' would log you in as the first user in the database"
    I don't believe this!
    Oh, wait, I take that back!

    Look at the most user way of writing MySQL in PHP: "SELECT * FROM users WHERE user = '$user' AND pass = '$pass'"

    It is exploited using ' OR ''=' as password; keep in mind that AND has precedence over OR in MySQL: "SELECT * FROM users WHERE (user = 'admin' AND pass = '') OR ''=''"

  • Mcaden (unregistered)

    I saw this article and wanted. Because I've seen the same thing in the wild only worse. The code I saw was almost exactly the same, but spit out email addresses...and it was for a doctor's office website.

  • sydV (unregistered) in reply to ObiWayneKenobi
    ObiWayneKenobi:
    This is, sadly, a lot more common than we would hope. I've seen a LOT of codebases that, while not this bad, exhibited the same "I have no idea WTF I'm doing so I'll do the first thing that pops into my head" type developer mentality. In all cases it was because management was breathing down the developer's neck and they didn't have the time to do things properly, so they HAD to throw together some nonsense and never got around to fixing it.

    That doesn't excuse the WTFs in this particular article because there's NO excuse for this kind of idiocy, but I guarantee it wasn't just a stupid developer; probably a newbie who had to do the first thing that they thought of due to stupid deadlines from their boss.

    +1

Leave a comment on “Thourough Username Validation”

Log In or post as a guest

Replying to comment #:

« Return to Article