• Quite (unregistered)

    Maybe there's a reason why this operation had not already been automated ...

  • (nodebb) in reply to Quite

    Yeah, and our 'hero' now knows what it is...

  • Lord0 (unregistered)

    So he didn't tell anyone about the vulnerabilties? That's nice.

  • Conradus (unregistered) in reply to Lord0

    Hell, no, you don't tell anybody about the vulnerabilities, because you don't want to be fired for hacking their website. Remember, discovering a vulnerability means you created that vulnerability. After all, nobody was saying anything about it until you pointed out!

  • Zenith (unregistered) in reply to Lord0

    Why would he? They don't care. In fact, merely suggesting that somebody else screwed up has a good chance of sending them flying off into a rage that ends with you being walked out by security. Conradus is right on the money here.

  • Lukie Pookie (unregistered)

    Blah. Same old, same old. When has this ever become a point of discussion? That type of tripe occurs all the time. It is normally a result of stopping development when management deems it to be "good enough" without getting your input about how the process may fail in most circumstances. Been there, done that. When something is deemed "good enough", it goes into production without any forethought.

  • Zenith (unregistered) in reply to Lukie Pookie

    Definitely. I was supposed to turn an export process into a live report once.

    There was a SQL job. That kicked off a powershell script. That kicked off a batch file. That kicked off a Windows executable with arguments. That filled in controls and clicked buttons. That called a stored procedure to export tab-delimited files through xpcmdshell. Every bit of the "stored procedure" was concatenated SQL. Because reasons. After the export, another procedure imported those files into the same table so another procedure could re-export that table as a super file. Another procedure zipped and moved the super file. Another procedure created a "to send" list for e-mailing. Finally, before exiting, the job moved the zipped file somewhere else. At some point, another job was supposed to pick up and kick off Outlook (probably from powershell to batch to executable with no error handling) to actually send the e-mails.

    I had it down to something like 20 lines of SQL. And then everybody just...forgot about it.

  • R. Obot (unregistered)

    As an RPA guy, I feel obliged to point out that while Selenium is pretty damn good for this type of task, UiPath is now free, for small businesses and private users, and better. Especially with non-browser apps, which Selenium doesn't do.

    Captcha: "I am not a robot" Not yet, but soon I'll make one that pretends to be me.

  • Another Anon (unregistered)

    Embedding images was probably disabled when some assburger-syndrome kook, pasting as Blakeyrat's handle, posted shock images like meatspin. G.I.F.T. in its pure form.

  • mēmsoh₁edtōr (unregistered) in reply to Another Anon

    Yum, donkey burgers!

  • PJRZ (unregistered) in reply to R. Obot

    Quote/Captcha: "I am not a robot" Not yet, but soon I'll make one that pretends to be me

    How do I know that this is not the robot-you pretending to be you right now?

  • (nodebb) in reply to PJRZ

    Because robots don't lie.

  • Nobody (unregistered) in reply to Lord0

    I agree. It may have been different a few years ago, but these days, responsible disclosure is accepted more gracefully

  • Jahon (unregistered)

    So now we basically ddoses Seleniu? Because it's down now.

  • Ulysses (unregistered) in reply to Auction_God

    And they have a plan.

  • Original Author (unregistered) in reply to Lord0

    I already told them about the vulnerabilities, advising them to move to a different CMS. So far I've even offered to rebuild their website on another CMS myself. They aren't interested (go figure).

    The people to disclose the vulnerabilities to would actually be the producers of the CMS though. But they're a big organisation (who shall not be named) who aren't likely to be interested considering that their software is really badly made all round.

  • Derp (unregistered)

    I worked for a software company that made web applications like that, they used a home-made "framework" which they wanted to be as generic as possible. When said framework was confronted with specific problems though, the sheer genericity of ABSOLUTELY EVERYTHING meant that you had no choice but to tweak some stuff on the client side of the application for it to work. I pointed out these problems, as well as the fact that the over sized generic framework had no documentation and was severely out of date (using node.js v0.12, we're currently at v6.11 stable). Needless to say, i only lasted 4 months there.

    The funny thing is though that they had no clear reason to fire me, i did my job fine, finished my development on time. The excuse i was given was "there's no more work to do on this project by you right now and we have developers on all other projects".

    Also the home-made framework was forked from another public framework on github, which was recently completely re-done with the owner saying the reasons for the re-work were exactly the ones i told the company about.

    In the future, i hope companies can be fired for general incompetence.

  • Zenith (unregistered) in reply to Derp

    At least you have an excuse to laugh at. I worked one place where they let an Indian wrap half a dozen frameworks into a "standard" framework. Basically alot of it looked like this (spelling intentional):

    class SuprAwesumFraamewrk public void SvObj (obj o) try { coll c = new framework2().LoadAllEntityObjectsEver(); Session["entity"] = c; obj o2 = (coll)(Session["entity"]).New(typeof o).Save(); if (o2.name == "") {bool BLN_Bool = new framework3().trueFalse(false);} } catch{}

    Performance was awful once you started using the system because it loaded the entire database into the session for every user. If you had to save an object twice, it created two or failed silently. No validation of anything anywhere but all errors were stifled so calling code would merrily go on its way corrupting data. Miles and miles of this in a repository locked to everybody but the Indian. Also forced master pages...and forced duplication of everything in those derived from them. Complete stupidity from top to bottom, never mind constant requirements for two incompatible components in the same context. Of course the Indian and its boss would throw hissy fits all the time about deadlines slipping. I'd get my work for the week done Monday morning, then wait for the Indian, unannounced of course, to set global margins negative and have to readjust 50 pages, one at a time, to account for it and then usually do it again when it would make another change or flip back after "counseling" me over my ugly layouts. Well, Pajeet, you see, I actually understand the box model and if you'd keep your mitts off of it...

    Worst place I ever worked and the competition was n slouch. I think they got me when, several months behind schedule, they had a hissy fit about an acronym in a local constant being capitalized and I "forgot" to change it. No, seriously. People that couldn't spell their own names the same way twice were really butthurt over my use of the shift key.

Leave a comment on “The CMS From Hell”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article