- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
[Y]
Admin
You gotta have all your bases covered. What happens when 90210 no longer has a length of five? Then you're screwed!
What I really don't get is:
Admin
I can see the code being just the portion (if pass==9002) {} and then a junior developer being requested to add most specific error messages such as "Password Required" and "Incorrect Password"... hence copy+paste without understanding
Admin
Hurray. You're the first poster to the thread. What do you get?
Oh that's right, absolutely nothing.
Admin
<SARCASM>Well, if you're gonna go to that much trouble to make sure they put in exactly 90210 then why not just tell them the password on the page and say something like "You must enter 90210 or access will be denied"?</SARCASM>
Admin
I'm just surprised the password wasn't "13373"
Admin
If pass = 90210??? looks like an assignment rather than a comparison to me!
Admin
I've got it. They forgot this code:
Admin
Yeah, that's a popular password here...but hopefully this validation is not quite so popular...
Admin
So after all that checking, it then returns true anyway. Oldest mistake in the book!
Admin
And that explains the code. Some newbie couldn't figure out why it always let people in, even with the wrong password. So they added all the "wrong" conditions rather than figuring out how to type an extra "=".
Time to raise the old "paid by the line" argument again?
Admin
No it doesn't because of the checks before. My guess is that the "developer" didn't spot this error, and was puzzled why access was granted when he wanted to deny. So, he started adding the checks in the start, until it finally worked.
Admin
Not quite. It has to pass through the oh-so-intimidating gauntlet of not being less than or greater to 90210, and having a length of 5. It does do an assignment, but it has to be 90210 by that point anyway.
Admin
The tradegy here is that this is Javascript. Shaun didn't read the source for the answer, he literally did View -> Page Source to get the password.
I'm also guessing this was maybe an ASP developer as the solution seems pretty straight forward if you don't know you can use != or ==
Admin
They forgot:
if (pass == "Password" ) {
alert("We're not [quite] that dumb!");
dataform.pass.focus();
return false;
}
Admin
I saw somebody get into this page with a password of ***** (they didn't know I was watching, ha ha)
Admin
A real consultant would write the code the following way (for job security):
if pass == 0 return false
if pass == 1 return false
.
.
if pass == 90210 return true
if pass == 90211 return false
if pass == 90212 return false
.
.
to infinity.
Admin
not being a javascript guru myself I'm assuming that the line if (pass > 40017) will generate an error if the user entered in a five digit alpha string, as it would try and convert the string to an integer to compare against the value of 40017?
Admin
According to bad 80's computer-related movies, all I have to do is type "override password" to get around such high-level security measures.
Admin
I'm not a javascript guru either, but I like your suggestion better than most others posted.
My initial thought was that it would prevent the hexadecimal or octal formats of the number ("9C51" or "116 121") from being accepted as valid... But odds are good either javacript doesn't offer that type of auto-conversion, or it's giving the developer more credit than they deserve.
Admin
> forces a numeric context on both sides.
If the "pass" variable contains a non-numeric string, numeric context will interpret it as NaN ("not a number")
NaN > 40017 is false
NaN < 40017 is also false
NaN == NaN is false as well
Admin
So... taking everything into account... this code is STILL BROKEN
"90210" will work, as it should
"90209" and "90211" will fail, as they should
But ANY five-character password that numifies to NaN will also work, which is an error.
Admin
You're all missing the big question here - Is viewing the page source to obtain the password a violation of the DMCA?
Admin
Not quite generating an error... IIRC in javascript (string > number) or vice versa will always be false. So for this rather complex password system, any 5-character alphabetic string will be accepted.
(Just checked with the javascript console in firefox, and this code apparently does consider "hello" to be the correct password)
Admin
Because normally it's "3l337." :)
Admin
So if someone enters "abcde" as a password it lets you in because it makes it through all the preliminary ifs and then the = vs == bug kicks in?
Admin
Rue the day something like THAT goes to court.
Admin
i once saw some similar js in a "are you a good hacker" series.
Admin
Quite a few adult sites had these genious JS passwd protections back in the good old days. It was actually quite fun just surf around different sites to find out what they had tried out. Oh boy the amount of free quality porn
Admin
Leaving aside the fact that this code was available in the "View Source," it's apparent that the programmer wrote the if (pass = 90210) block first. He's using an assignment operator instead of the compare operator.
I imagine that his initial tests allowed any password through because his if-block always returned true. Then, instead of discovering that he had an invalid operation in his if-block, he wrote the other tests to systematically filter out bad passwords.
All I can say is ... wow!
Admin
its a guessing game. They should have messages like "Ooh, nice try" or "try again, maybe a little lower."
Better, levenstein (sp?) distances comparing the password to the entered data, and to the last entered attempt, so the program could reply with "getting warmer...colder...warmer..."
Admin
No, "abcde" would evaluate to zero, and 0 < 90210, so it'd fail.
The code seems to work, albeit it stupidly.
Admin
Nevermind. I forgot that string comparisons to numbers are always false.
Any 5 character string would work.
Admin
I guess the second var pass = dataform.pass.value; was purely written out of frustration because he thought maybe the pass variable has magically changed to the correct password.
I also have a tendency to write random obsolete code when I'm getting frustrated on a problem late at night, just so I can get the code to work.
Admin
And they congratulate you for remembering it!
Admin
<FONT face="Courier New" size=2>what's with all the other crazy javascript when you do a view source?</FONT>
Admin
Did anyone report this vulnerability to Bugtraq or the vulnerable site before publishing a working exploit?
Admin
'Clever' obfuscation?
Admin
WTF... ! -_-
Admin
It would appear so, or someone else checked it. The code's been changed to something a *little* more obscure. But the password still works!
Admin
Bob Hammer (Hammer Production Company) should become security consultant. He improved the code. The password is not right there in the code anymore, instead it uses some freak numerology now. Beautiful.
You know, someone should build an http server that can ask for a password for certain parts of your site. I'd PAY for that! And they also should somehow encrypt the traffic so that your passwords can't be sniffed.
Oh wait, we can LEVERAGE the client's JAVASCRIPT CAPABILTIES for that!
P.S.:
CSIsW3CDOM = ((document.getElementById) && !(IsIE()&&CSBVers<6)) ? true : false;
Admin
I can just hear the dev saying: "It's server side, see? The page sits on a server!"
Admin
Admin
Go here for a more sophisticated version of this wtf
http://www.paidsurveysonline.com/
Its obviously a scam site, but check out the source for memberaccess......
http://www.paidsurveysonline.com/membersaccess.html
So there's just one password, and you'd just have to write a quick brute force program to start multiplying characters of strings together until you go that number.
As a side note, this site is advertised here on wtf, is it perhaps put there by google for wtfness?
//Encrypted Password script- By Rob Heslop
//Script featured on Dynamic Drive
//Visit http://www.dynamicdrive.com
function submitentry(){
password = document.password1.password2.value.toLowerCase()
username = document.password1.username2.value.toLowerCase()
passcode = 1
usercode = 1
for(i = 0; i < password.length; i++) {
passcode *= password.charCodeAt(i);
}
for(x = 0; x < username.length; x++) {
usercode *= username.charCodeAt(x);
}
//CHANGE THE NUMBERS BELOW TO REFLECT YOUR USERNAME/PASSWORD
if(usercode==2.90171130144904e+22&&passcode==24386094146700)
//CHANGE THE NUMBERS ABOVE TO REFLECT YOUR USERNAME/PASSWORD
{
window.location=password+".htm"}
else{
alert("password/username combination wrong")}
}
Admin
Oh, come on. The real WTF here is that the target page is not protected whatsover. You can just copy&paste its URL in the address box and hit return to open it. Very usable.
Ever seen a website where index.html will ask for a password, but all other pages will be ass-wide open? Including directory listing of directories with no index.html?
Or the frameset page asks for a password, but the pages inside the frameset can be accessed directly?
Admin
Ahh they need to optimise the for loop so that the dont have to calculate the string length in each loop.
for(i = 0,iLen=password.length; i < iLen; i++) {
passcode *= password.charCodeAt(i);
}
for(x = 0,xLen=username.length; x < xLen; x++) {
usercode *= username.charCodeAt(x);
}
There that fixed it.
Admin
Not quite. Because of his less than complete understanding of the way arrays work the first character of pass will be dropped when being transferred into K. Therefore any character followed by 4017 will result in an authenticated password. Unfortunately the redirection mechanism is
so you won't go to the right page if you give it an "incorrect" password even though it verified it.
Good fun.
Admin
My previous post was in reference to this post...
Admin
LOL - wait for it, it will be tomorrows WTF I'm sure... and for job security? Because if they wanted to change the password from 90210 to, say, 90201 then he would have to be employed again long enough to change the true's and falses...
Admin
C'mon, you are joking . Not even a first year CS student can be this obviously stupid. Who QA'ed this code - he should be joining the programmer for Code Security Concepts 101