- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Obviously TRWTF is the contractor didn’t add that URL to the website’s robots.txt to let all the bad people know that visiting that page was not allowed
Admin
I don't understand the last bit - PhPMyAdmin is third party software and I've never seen it without a login screen. Did our hero somehow hack around that to remove the login page?
Although I feel a more characteristic conclusion would have been that there is a login page, but the username is "admin" with password "password". And the password would either be hardcoded in the source code, or stored in plaintext in the database. Or probably both.
Admin
And aside from the gaping security holes, there's a coding curiosity which isn't mentioned in the commentary. It appears you need to set these query parameters to special "magic" values ("NoLoc" etc) to turn off that part of the search. Is simply omitting a query parameter not something that's done by this contractor?
Admin
phpMyAdmin has a config file that can be setup with the DB credentials embedded and can be configured so as to not require a login (at least in older versions - I haven't used it in a while). In fact in the really old versions you controlled access to it via a .htaccess file.
Admin
I'm not a PHP person, but apparently PhPMyAdmin allows (or if not currently, then allowed at one time) login credentials to be put in a plain-text config file, as a convenience while developing on your local machine. Of course, that configuration should never make it into an actual dev environment, much less production. And the environments should have different credentials, so the information in the config shouldn't work even if it did make it past the developer's local machine. But who's taking bets on whether there was ever any non-production environment to begin with?
Admin
The PhPMyAdmin curiosity is just as likely a leftover shell that had been used to plant malware of phishing pages on the site and never cleaned up.
Admin
How do we know that a given room did not fit into multiple "type_id??" categories and that the user could old search for 1....
Admin
Graeme, I imagine.
Admin
"without a login screen", it says: "no password or other inconvenience required." The default in PHPMyAdmin is User "root" and password "", so.... no password needed, it's a blank password. It was never said no login screen.