• Yazeran (unregistered)

    Oh My God!

    Code that bad and directly on the web - now that's a worthy WTF

    Granted I have made my share of dubious systems in the past, but Never Ever have they been in any way accessible from the outside world.

    Yazeran

  • (nodebb)

    Again, deja vu for me, I also worked at a company 15 years ago, and they had a classic ASP HR application which did reviews, time sheets, etc. And they also bought workday for some reason. I never did any work on that ASP app but maybe it was the same company? 🤣

  • Hanzito (unregistered)

    Are these IT departments really filled with people that can cobble some code together but have no idea of servers, networks, etc.?

  • (nodebb)

    I still provide support for our resourcinginvoicing/timesheet application that is written in classic ASP. In fact, I thought this might be the same one until I saw

    Because there wasn't any authentication. There was a "logon screen"

    We don't have even have a login screen.

    To be fair, the web site is protected by AD credentials but once you are in, you have fun access to everything.

    Addendum 2023-09-06 07:44: *full. Nothing about the system is fun.

  • Robin (unregistered)

    If Session("User_Type" == "ADMIN") might have fixed the immediate bug

    I'm not familiar with whichever language this is (VB?), but I'm reasonably confident that wouldn't work as intended without fixing where the closing parenthesis is 😉

  • I'm not a robot, I found the bikes (unregistered) in reply to Hanzito

    In the age of classic ASP, there still were developers who never did any network coding before. All they knew was creating a windows forms app that did stuff to the filesystem.

  • (nodebb)

    Off topic, but I couldn't help myself:

    https://www.theregister.com/2023/09/05/birmingham_city_council_oracle/

    On the news in a few years: world war 3 has broken out with nuclear strikes on Moscow, Beijing, London and Washington, after Oracle ERP implementation led to escalation of conflict between world superpowers :)

  • (nodebb) in reply to Robin

    The site needs a proofreader!

  • (nodebb)

    This may not have been an IT person. I used to work at a help desk and I implemented an internal tool. Granted, we had an IT team which provisioned a server and made sure it was not visible to the outside world! Soooo maybe my point is moot lol.

  • (nodebb)

    Ah yes, reminds me of the story I submitted here, where a college professor of mine made a site for a class. Your username and password, once submitted for login, appeared on every other page in hidden form fields in the form of a user id, every link being a form submission. So you could change the id to access anyone else's "account".

    The irony was this was a cryptography class,. It was experimental nobody was able to crack any ciphers past a few basic ones in the first few weeks. If it had been a web security class I would have aced it.

  • (nodebb)

    *puts pendant on*

    Technically there was authentication (or well, "authentication"), but there was no authorization in the code.

  • (nodebb) in reply to Medinoc

    If you're going to be pedantic, don't misspell "pedant".

  • (nodebb) in reply to Barry Margolin

    How do you know Medinoc doesn't like to wear a pendant while being pedantic?

  • WTFGuy (unregistered)

    This also smells like the classic situation where an app is "designed" for purely intranet use. 5 or 15 years later somebody decided that to permit remote worker access the app would be exposed to the internet. And of course in those 5 to 15 years the threat from the internet got a LOT more sophisticated.

    And the WTF of course is that the IT shop writ large had no security audit for whether exposing this 1990s tinkertoy to the 2010 or 2020 internet had a gotchas attached. Neither the network folks nor the dev folks nor the security folks did any sort of review. Somebody just published a url or opened a firewall port or whatever and here we are. Most likely on a Friday afternoon following an unpleasant phone call from a non-technical uber-Boss.

  • Fizzlecist (unregistered)

    Maybe it was a pedantic pendant?

  • (nodebb)

    Every single time some random dev tell they are confident they can easily write an authentication scheme from scratch for a new web site and it will be secure, I very much doubt so.

    And every time I'm right.

    There is nothing easy about writing a solid authorization login system and be actually capable of proving it is secure.

  • Yazeran (unregistered) in reply to Mr. TA

    Poor Birmingham.

    But nice to know that we are not the only ones in the claws of a failed Oracle Fusion migration (or as I call it Oracle Confusion).

    For over a year our project managers have been almost in the dark as to the financial status / budget of their projects as they have been unable to get any sensible data from the system (not to mention purchase orders vanishing unless you know the precise vendor and/or price as until recently you could not find orders by searching for the unique ID... WTF!

    Yazeran

Leave a comment on “The Administrator Hack”

Log In or post as a guest

Replying to comment #:

« Return to Article