• (cs)

    Atleast this one was a 'Before Attending ...' instead of an 'I spent $30,000 there only to learn how to pick my nose and browse porn sites during class' .. Good choice in seeking an alternative university ...

  • (cs)

    What, they couldn't use the close-enough spelling page to route for the appropriate browser?

     

  • Bleck (unregistered)

    Blecky bleck. 111th.

    Anyway, I hope there was a pubwww.dbo.grades, the author would have been stoked.

  • Anony (unregistered)

    I need a WTFU t-shirt now.

  • Andy (unregistered)

        So, who besides me tried to go to the link?

    captcha: captcha

  • (cs)
    Alex Papadimoulis:
    <img src="/imgSrc?SELECT data FROM pubwww.dbo.imgs WHERE id=51">
    

    ...

    <link rel="stylesheet" type="text/css" media="screen" href="/cssSrc?SELECT data FROM pubwww.dbo.csss WHERE id=18" />

    See, that's not too bad. If you think about it, using SQL to retrieve resources like that actually can -- I got nothing. However, I will end today on a good note. After his experience on their webpage, Mike decided that a graduate degree at WTFU just wasn't the right thing for him …



    And a short time later, the images refused to load at all, almost as if the website content had DROPped off the face of the web...
  • (cs) in reply to R.Flowers
    R.Flowers:
    Alex Papadimoulis:
    <img src="/imgSrc?SELECT data FROM pubwww.dbo.imgs WHERE id=51">
    

    ...

    <link rel="stylesheet" type="text/css" media="screen" href="/cssSrc?SELECT data FROM pubwww.dbo.csss WHERE id=18" />

    See, that's not too bad. If you think about it, using SQL to retrieve resources like that actually can -- I got nothing. However, I will end today on a good note. After his experience on their webpage, Mike decided that a graduate degree at WTFU just wasn't the right thing for him …



    And a short time later, the images refused to load at all, almost as if the website content had DROPped off the face of the web...

    Bad pun.

    Bad, bad pun.  Sit! pun.

  • Dave (unregistered) in reply to R.Flowers
    R.Flowers:
    Alex Papadimoulis:
    <img src="/imgSrc?SELECT data FROM pubwww.dbo.imgs WHERE id=51">
    

    ...

    <link rel="stylesheet" type="text/css" media="screen" href="/cssSrc?SELECT data FROM pubwww.dbo.csss WHERE id=18" />

    See, that's not too bad. If you think about it, using SQL to retrieve resources like that actually can -- I got nothing. However, I will end today on a good note. After his experience on their webpage, Mike decided that a graduate degree at WTFU just wasn't the right thing for him …



    And a short time later, the images refused to load at all, almost as if the website content had DROPped off the face of the web...


    <img src="/imgSrc?DROP TABLE pubwww.dbo.imgs ">

    wheeeeeee!

  • (cs) in reply to Andy
    Anonymous:
        So, who besides me tried to go to the link?

    captcha: captcha

    I did!
    Their Registrar probably shut them off for forgetting to sign the check.
  • (cs)

    At least the WTFU is covered if the W3C decides to invalidate the A tag.

  • (cs) in reply to ParkinT
    ParkinT:
    R.Flowers:

    And a short time later, the images refused to load at all, almost as if the website content had DROPped off the face of the web...

    Bad pun.

    Bad, bad pun.  Sit! pun.



    If you don't rub my face in it, I'll never learn!
  • (cs) in reply to Andy
    Anonymous:
        So, who besides me tried to go to the link?

    captcha: captcha


    Looking for something?  Don't bother.  I took care of the faulty site.
    In the meantime, can I offer some degrees in whatever field of choice?  Real cheap!

  • (cs) in reply to Dave
    Anonymous:

    <img src="/imgSrc?DROP TABLE pubwww.dbo.imgs ">

    wheeeeeee!


    I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)

  • (cs)

    So is this site still live?  I would love to browse it in FireFo.

  • Whacky Waving Inflatable Arm Flailing Tube Man (unregistered) in reply to snoofle

    Yes it is, and that is why the end user should never, ever, ever see SQL.  If you have to allow user input for queries (as in a form variable to retrieve data), the LEAST you can do is rigorous validation.  Something like this I have never and hope to God will never ever see again.  It's like the developer is creating a honeypot for 13 year olds.

  • (cs)
    Alex Papadimoulis:
      

    function clickto(navId) {
    	var url = getUrlFromNavId(navId);
    	if (isBrowserIE()) {
    		navToUrlForIE(url);
    	} else if (isBrowserNetscape()) {
    		navToUrlForNetscape(url);
    	} else if (isBrowserFirefox()) {
    		navToUrlForFirefo(url);
    	} else {
    		window.location = url;
    	}
    }

    <FONT face=Tahoma>Is it just me or does that url really needs to be encoded specifically for a certain browser? There must be areason behind that, though I can't think of one...

    Oh wait, maybe it redirects to a page specific to a browser... nevermind...


    <FONT face="Times New Roman">
    Alex Papadimoulis:
       </FONT>

    <FONT face=Tahoma><img src="/imgSrc?SELECT data FROM pubwww.dbo.imgs WHERE id=51"></FONT>
    <FONT face=Tahoma></FONT>
    </FONT>
    <FONT face=Tahoma>WebAdmin: "Not again! This is the 42nd time our db gets corrupted this week! Stupid database!"



    </FONT>
  • (cs)
    Alex Papadimoulis:
    
    
    <img src="/imgSrc?SELECT data FROM pubwww.dbo.imgs WHERE id=51">
    

    ...

    <link rel="stylesheet" type="text/css" media="screen" href="/cssSrc?SELECT data FROM pubwww.dbo.csss WHERE id=18" />



    Bah, no problem here.  All they need to do is protect it with Injection Rejection


  • Whacky Waving Inflatable Arm Flailing Tube Man (unregistered) in reply to snoofle
    snoofle:
    Anonymous:

    <img src="/imgSrc?DROP TABLE pubwww.dbo.imgs ">

    wheeeeeee!


    I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)

     

    My last post was in reply to the above quoted message, not the site being live post.

  • (cs) in reply to Whacky Waving Inflatable Arm Flailing Tube Man
    Anonymous:
    a honeypot for 13 year olds.


    <ding>

    What is "myspace.com," Alex?
  • (cs) in reply to John Bigboote

    John Bigboote:
    Anonymous:
    a honeypot for 13 year olds.


    <ding>

    What is "myspace.com," Alex?

    A swimming pool for 13 year olds.

  • (cs) in reply to Bleck
    Anonymous:
    Blecky bleck. 111th.

    Anyway, I hope there was a pubwww.dbo.grades, the author would have been stoked.



    Even better would be pubwww.dbo.transcripts,  Gives new meaning to the "Earn your degree ONLINE!!!"  ads.

  • ben (unregistered)

    I think the image should say:
    EST. 19NaN


    just a thought

  • (cs) in reply to snoofle
    snoofle:
    Anonymous:

    <img src="/imgSrc?DROP TABLE pubwww.dbo.imgs ">

    wheeeeeee!


    I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)

    It's more of a database issue than a web issue.  Any application communicating with a database is vulnerable.

    <img src="/imgSrc?EXEC master..xp_regdeletekey @rootkey='HKEY_LOCAL_MACHINE', @key='SOFTWARE">

    This would be a fun one!

  • (cs) in reply to snoofle
    snoofle:
    Anonymous:

    <img src="/imgSrc?DROP TABLE pubwww.dbo.imgs ">

    wheeeeeee!


    I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)



    This is actually not SQL injection. SQL injection involves you putting your query into a string that you know will be used in the query. This, on the other hand, lets you construct your own query without having to fool the query constructor code, as there is none. This leaves SQL open to anyone to do anything with ease. This is by far the least secure design I think I have ever seen in use by a company/institution. I really hope they were brutally attacked. If you construct something like this, not only do you deserve to be hacked, but you NEED to be hacked.

  • (cs) in reply to ParkinT
    ParkinT:

    John Bigboote:
    Anonymous:
    a honeypot for 13 year olds.


    <ding>

    What is "myspace.com," Alex?

    A swimming pool for 13 year olds.

    You don't watch Jeopardy much do ya?

  • ben (unregistered)

    The weird thing is that the SQL statement isn't even getting passed as a parameter properly. The URL "/cssSrc?SELECT data FROM pubwww.dbo.csss WHERE id=18" sends you to the page /cssSrc, with a URL parameter of "SELECT_data_FROM_pubwww_dbo_csss_WHERE_id" set to "18". Unless cssSrc just does pattern matching on the URL ... which it well might.

  • (cs) in reply to OneMHz
    OneMHz:
    ParkinT:

    John Bigboote:
    Anonymous:
    a honeypot for 13 year olds.


    <DING>
    What is "myspace.com," Alex?

    A swimming pool for 13 year olds.

    You don't watch Jeopardy much do ya?

    Wha's Jeopardy ?

  • Adam (unregistered) in reply to ben
    Anonymous:
    I think the image should say:
    EST. 19NaN


    Or:
    EST. 19102

  • (cs) in reply to ben
    Anonymous:
    The weird thing is that the SQL statement isn't even getting passed as a parameter properly. The URL "/cssSrc?SELECT data FROM pubwww.dbo.csss WHERE id=18" sends you to the page /cssSrc, with a URL parameter of "SELECT_data_FROM_pubwww_dbo_csss_WHERE_id" set to "18". Unless cssSrc just does pattern matching on the URL ... which it well might.

    That assumes proper CGI parsing of the URL. Based on everything else in the WTF, it's quite likely that the "cssSrc" application just gets a raw URL, and does its own parsing.

  • (cs) in reply to ben



    Anonymous:
    The weird thing is that the SQL statement isn't even getting passed as a parameter properly. The URL "/cssSrc?SELECT data FROM pubwww.dbo.csss WHERE id=18" sends you to the page /cssSrc, with a URL parameter of "SELECT_data_FROM_pubwww_dbo_csss_WHERE_id" set to "18". Unless cssSrc just does pattern matching on the URL ... which it well might.


    I think you're giving them WAY too much benefit-of-the-doubt. Looks like the cssSrc just executes the querystring outright. Assuming that they're doing pattern matching based on the degree of ineptitude we've already seen is like saying "well, he left his keys in the ignition with the doors unlocked, but there's probably a retinal scanner in the visor mirror."

  • (cs) in reply to John Bigboote
    John Bigboote:
    Anonymous:
    a honeypot for 13 year olds.


    <ding>

    What is "myspace.com," Alex?


    I'm sorry, we were looking for "Pamela Rogers." But you retain control of the board...
  • PS (unregistered) in reply to GoatCheez
    GoatCheez:
    snoofle:
    Anonymous:

    <img src="/imgSrc?DROP TABLE pubwww.dbo.imgs ">

    wheeeeeee!


    I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)



    This is actually not SQL injection. SQL injection involves you putting your query into a string that you know will be used in the query. This, on the other hand, lets you construct your own query without having to fool the query constructor code, as there is none. This leaves SQL open to anyone to do anything with ease. This is by far the least secure design I think I have ever seen in use by a company/institution. I really hope they were brutally attacked. If you construct something like this, not only do you deserve to be hacked, but you NEED to be hacked.



    To put it metaphorically, if SQL incection is sneaking into a secured building through the sewers, this is walking right through the front door.
  • (cs) in reply to PS
    Anonymous:
    GoatCheez:
    snoofle:
    Anonymous:

    <img src="/imgSrc?DROP TABLE pubwww.dbo.imgs ">

    wheeeeeee!


    I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)



    This is actually not SQL injection. SQL injection involves you putting your query into a string that you know will be used in the query. This, on the other hand, lets you construct your own query without having to fool the query constructor code, as there is none. This leaves SQL open to anyone to do anything with ease. This is by far the least secure design I think I have ever seen in use by a company/institution. I really hope they were brutally attacked. If you construct something like this, not only do you deserve to be hacked, but you NEED to be hacked.



    To put it metaphorically, if SQL incection is sneaking into a secured building through the sewers, this is walking right through the front door.


    lol... yeah... I envision a huge building that represents the site. The front doors have locks, however the building doesn't have any walls.... So, even though their doors are locked, you just have to step to a side and keep walking to get through lol.
  • Anonymous Hero (unregistered)

    This is real site of a real University? prove it Alex. post the link!

     

    Captcha: java

  • Juifeng (unregistered) in reply to GoatCheez
    GoatCheez:
    This is by far the least secure design I think I have ever seen in use by a company/institution.

    Let's don't forget client side PHP! It's an all-in-one solution to your problems, not only SQL injection, but pretty much anything injection.

    Of course, let's hope that it was no company/institution design.

    I guess the javascript function to fetch an URL from the span ID used XmlHttpRequest to get the correct URL in a web2.0 and ajaxy fashion. Of course, the XML file called was: /xmlSrc?SELECT url FROM pubwww.dbo.links WHERE id=id

  • Dick Wolf (unregistered)

    Oh. My. GOD.

    I've known people who didn't test their web code... MADDENING, it is.

  • (cs) in reply to Kodi
    Kodi:
    OneMHz:
    ParkinT:

    John Bigboote:
    Anonymous:
    a honeypot for 13 year olds.


    <ding>
    What is "myspace.com," Alex?
    </ding>

    A swimming pool for 13 year olds.

    You don't watch Jeopardy much do ya?

    Wha's Jeopardy ?



    Correct.  That's it for "Game Shows for Pretentious Know-it-alls"; please choose another category...
  • Shizzle (unregistered) in reply to GoatCheez
    GoatCheez:


    Seriously, what is up with GoatCheez's picture... it creeps me out.  Who/what is it?
  • (cs) in reply to Raider

    Raider:
    ...only to learn how to pick my nose and browse porn sites during class...

    Ah, physics and chemistry class...how I miss thee.

  • (cs) in reply to Shizzle
    Anonymous:
    GoatCheez:


    Seriously, what is up with GoatCheez's picture... it creeps me out.  Who/what is it?


    It's a police composite sketch of Cartman from an episode of South Park.
  • (cs)

    Hypothetically, if the cssSrc app used a DB user with extremely limited rights (say, only SELECT on that single table), how much damage could a cracker do?

    Not that I expect WTFU to be smart enough for that.

  • (cs) in reply to John Bigboote

    John Bigboote:
    Anonymous:
    GoatCheez:


    Seriously, what is up with GoatCheez's picture... it creeps me out.  Who/what is it?


    It's a police composite sketch of Cartman from an episode of South Park.

    If my timeline is correct, it was first done for a Fark photoshop contest a few years ago: "Photoshop your favorite cartoon characters in real life." I think it was the winning entry; the entrant sketched out the four kids from SP as real kids.

    Parker and Stone saw it and used it in an upcoming episode.

  • (cs) in reply to themagni
    themagni:

    John Bigboote:
    Anonymous:
    GoatCheez:


    Seriously, what is up with GoatCheez's picture... it creeps me out.  Who/what is it?


    It's a police composite sketch of Cartman from an episode of South Park.

    If my timeline is correct, it was first done for a Fark photoshop contest a few years ago: "Photoshop your favorite cartoon characters in real life." I think it was the winning entry; the entrant sketched out the four kids from SP as real kids.

    Parker and Stone saw it and used it in an upcoming episode.



    Awesome. Shades of Snakes on a Plane.
  • (cs)
    Alex Papadimoulis:

    [image] 

    WTF University, I will miss Thee. Think of the WTFU Alma Mater 
    By the way, you can't spell wtfuniversity without 'F' 'U' 'N' !
     
  • Unklegwar (unregistered) in reply to snoofle
    snoofle:
    Anonymous:

    <img src="/imgSrc?DROP TABLE pubwww.dbo.imgs ">

    wheeeeeee!


    I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)



    sql injection is actually done by entering specially formed sql snippets in input areas on a form in the hopes of finding out that the site uses dynamic sql strings...

    This isn't injection, this is way easier, almost invited. Good god.  I can see it now "Meh, the average user doesn't ever look at the source, and if they do, they won't realize what this is."

    I want to hear the update that the DROP scenario actually happened.

  • jcw9 (unregistered) in reply to ben

    or maybe the year should be 19101? :D

  • (cs) in reply to themagni
    themagni:

    John Bigboote:
    Anonymous:
    GoatCheez:


    Seriously, what is up with GoatCheez's picture... it creeps me out.  Who/what is it?


    It's a police composite sketch of Cartman from an episode of South Park.

    If my timeline is correct, it was first done for a Fark photoshop contest a few years ago: "Photoshop your favorite cartoon characters in real life." I think it was the winning entry; the entrant sketched out the four kids from SP as real kids.

    Parker and Stone saw it and used it in an upcoming episode.



    In all honesty, I always thought it was a portrait or a drawing of him.
    Is that a bad assumption?

    Mike Rod
  • (cs)

    Searching for "navToUrlForFirefo" in Google didn't yield any results so I'd say that they at least knew how to use the robots.txt file. So we can forget about DROPping any tables...

  • Mark H (unregistered) in reply to snoofle
    snoofle:

    I'm not a web person - is this what they call sql-injection? (that's a bad thing, right?)



    Not really...SQL injection implies that you're putting arbitrary SQL code somewhere that its not supposed to go. like a password field you put

    OR 1=1

    So that the complete query looks like
    select * from users where user_name="<username>" and password="<password>" or 1=1

    This defeats the password.

    But given that they're arbitrarility executing whatever gets passed in there, its not really SQL injection, its more like a goofy SQL ad-hoc intepreter.

    But yes, "bad" is one way to describe it.
  • Tanish (unregistered)

    Forgot that HTML crap... Who's the girl playing foosball whose left breast we're all oogling, what's what I want to know!

Leave a comment on “wtfuniversity.edu”

Log In or post as a guest

Replying to comment #:

« Return to Article