- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Atleast this one was a 'Before Attending ...' instead of an 'I spent $30,000 there only to learn how to pick my nose and browse porn sites during class' .. Good choice in seeking an alternative university ...
Admin
What, they couldn't use the close-enough spelling page to route for the appropriate browser?
Admin
Blecky bleck. 111th.
Anyway, I hope there was a pubwww.dbo.grades, the author would have been stoked.
Admin
I need a WTFU t-shirt now.
Admin
So, who besides me tried to go to the link?
captcha: captcha
Admin
And a short time later, the images refused to load at all, almost as if the website content had DROPped off the face of the web...
Admin
Bad pun.
Bad, bad pun. Sit! pun.
Admin
Admin
I did!
Their Registrar probably shut them off for forgetting to sign the check.
Admin
At least the WTFU is covered if the W3C decides to invalidate the A tag.
Admin
If you don't rub my face in it, I'll never learn!
Admin
Looking for something? Don't bother. I took care of the faulty site.
In the meantime, can I offer some degrees in whatever field of choice? Real cheap!
Admin
I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)
Admin
So is this site still live? I would love to browse it in FireFo.
Admin
Yes it is, and that is why the end user should never, ever, ever see SQL. If you have to allow user input for queries (as in a form variable to retrieve data), the LEAST you can do is rigorous validation. Something like this I have never and hope to God will never ever see again. It's like the developer is creating a honeypot for 13 year olds.
Admin
<FONT face=Tahoma>Is it just me or does that url really needs to be encoded specifically for a certain browser? There must be areason behind that, though I can't think of one...
Oh wait, maybe it redirects to a page specific to a browser... nevermind...
<FONT face="Times New Roman"> </FONT>
<FONT face=Tahoma>WebAdmin: "Not again! This is the 42nd time our db gets corrupted this week! Stupid database!"
</FONT>
Admin
Bah, no problem here. All they need to do is protect it with Injection Rejection
Admin
My last post was in reply to the above quoted message, not the site being live post.
Admin
<ding>
What is "myspace.com," Alex?
Admin
A swimming pool for 13 year olds.
Admin
Even better would be pubwww.dbo.transcripts, Gives new meaning to the "Earn your degree ONLINE!!!" ads.
Admin
I think the image should say:
EST. 19NaN
just a thought
Admin
It's more of a database issue than a web issue. Any application communicating with a database is vulnerable.
<img src="/imgSrc?EXEC master..xp_regdeletekey @rootkey='HKEY_LOCAL_MACHINE', @key='SOFTWARE">
This would be a fun one!
Admin
This is actually not SQL injection. SQL injection involves you putting your query into a string that you know will be used in the query. This, on the other hand, lets you construct your own query without having to fool the query constructor code, as there is none. This leaves SQL open to anyone to do anything with ease. This is by far the least secure design I think I have ever seen in use by a company/institution. I really hope they were brutally attacked. If you construct something like this, not only do you deserve to be hacked, but you NEED to be hacked.
Admin
You don't watch Jeopardy much do ya?
Admin
The weird thing is that the SQL statement isn't even getting passed as a parameter properly. The URL "/cssSrc?SELECT data FROM pubwww.dbo.csss WHERE id=18" sends you to the page /cssSrc, with a URL parameter of "SELECT_data_FROM_pubwww_dbo_csss_WHERE_id" set to "18". Unless cssSrc just does pattern matching on the URL ... which it well might.
Admin
Wha's Jeopardy ?
Admin
Or:
EST. 19102
Admin
That assumes proper CGI parsing of the URL. Based on everything else in the WTF, it's quite likely that the "cssSrc" application just gets a raw URL, and does its own parsing.
Admin
I think you're giving them WAY too much benefit-of-the-doubt. Looks like the cssSrc just executes the querystring outright. Assuming that they're doing pattern matching based on the degree of ineptitude we've already seen is like saying "well, he left his keys in the ignition with the doors unlocked, but there's probably a retinal scanner in the visor mirror."
Admin
I'm sorry, we were looking for "Pamela Rogers." But you retain control of the board...
Admin
To put it metaphorically, if SQL incection is sneaking into a secured building through the sewers, this is walking right through the front door.
Admin
lol... yeah... I envision a huge building that represents the site. The front doors have locks, however the building doesn't have any walls.... So, even though their doors are locked, you just have to step to a side and keep walking to get through lol.
Admin
This is real site of a real University? prove it Alex. post the link!
Captcha: java
Admin
Let's don't forget client side PHP! It's an all-in-one solution to your problems, not only SQL injection, but pretty much anything injection.
Of course, let's hope that it was no company/institution design.
I guess the javascript function to fetch an URL from the span ID used XmlHttpRequest to get the correct URL in a web2.0 and ajaxy fashion. Of course, the XML file called was: /xmlSrc?SELECT url FROM pubwww.dbo.links WHERE id=id
Admin
Oh. My. GOD.
I've known people who didn't test their web code... MADDENING, it is.
Admin
Correct. That's it for "Game Shows for Pretentious Know-it-alls"; please choose another category...
Admin
Seriously, what is up with GoatCheez's picture... it creeps me out. Who/what is it?
Admin
Ah, physics and chemistry class...how I miss thee.
Admin
It's a police composite sketch of Cartman from an episode of South Park.
Admin
Hypothetically, if the cssSrc app used a DB user with extremely limited rights (say, only SELECT on that single table), how much damage could a cracker do?
Not that I expect WTFU to be smart enough for that.
Admin
If my timeline is correct, it was first done for a Fark photoshop contest a few years ago: "Photoshop your favorite cartoon characters in real life." I think it was the winning entry; the entrant sketched out the four kids from SP as real kids.
Parker and Stone saw it and used it in an upcoming episode.
Admin
Awesome. Shades of Snakes on a Plane.
Admin
Admin
sql injection is actually done by entering specially formed sql snippets in input areas on a form in the hopes of finding out that the site uses dynamic sql strings...
This isn't injection, this is way easier, almost invited. Good god. I can see it now "Meh, the average user doesn't ever look at the source, and if they do, they won't realize what this is."
I want to hear the update that the DROP scenario actually happened.
Admin
or maybe the year should be 19101? :D
Admin
In all honesty, I always thought it was a portrait or a drawing of him.
Is that a bad assumption?
Mike Rod
Admin
Searching for "navToUrlForFirefo" in Google didn't yield any results so I'd say that they at least knew how to use the robots.txt file. So we can forget about DROPping any tables...
Admin
Not really...SQL injection implies that you're putting arbitrary SQL code somewhere that its not supposed to go. like a password field you put
OR 1=1
So that the complete query looks like
select * from users where user_name="<username>" and password="<password>" or 1=1
This defeats the password.
But given that they're arbitrarility executing whatever gets passed in there, its not really SQL injection, its more like a goofy SQL ad-hoc intepreter.
But yes, "bad" is one way to describe it.
Admin
Forgot that HTML crap... Who's the girl playing foosball whose left breast we're all oogling, what's what I want to know!