Real Security

« Return to Article
  • Remy Porter 2012-10-31 10:51
    Obligatory Bobby Tables reference.
  • Samuele Mattiuzzo 2012-10-31 10:58
    This won't make Judy S. ( 5 time MostFaithful person award ) happy.
  • Cantabrigian 2012-10-31 10:58
    Remy Porter:
    Obligatory Bobby Tables reference.


    It was already in the article:
    Not even showing her The Dreaded Obligatory Cartoon.
  • Anon Ymous 2012-10-31 10:59
    So you could access the admin page by changing your "Logged" session variable to "ON"?
  • imgx64 2012-10-31 11:04
    Anon Ymous:
    So you could access the admin page by changing your "Logged" session variable to "ON"?


    No. Session variables are stored on the server.
  • Sven 2012-10-31 11:04
    Anon Ymous:
    So you could access the admin page by changing your "Logged" session variable to "ON"?

    Session variables are stored on the server in ASP, all you have on the client is a cookie is the session ID. So you can't change that value.
  • Steve The Cynic 2012-10-31 11:06
    I'm confused.

    Was there an injection vuln or was there not? First it says he found one, then it wasn't there when he went to look. What was it?
  • JAPH 2012-10-31 11:06
    TRWTF is that the result set of that query isn't used in a meaningful way. Sure, we cycle over every row returned, but in each cycle we compare the user-supplied password to "star" instead of the appropriate table column.
  • Bobby Tables 2012-10-31 11:08
    The code snippet shown was after Emmett fixed the sql injection vulnerability.
  • Ozz 2012-10-31 11:15
    Steve The Cynic:
    I'm confused.

    Was there an injection vuln or was there not? First it says he found one, then it wasn't there when he went to look. What was it?
    Looks like you could log in with any username as long as your password was "star".
  • Michael 2012-10-31 11:15
    should be "...Or worse? Who would trust their home with someone who used Comic Sans?"
  • Ross Presser 2012-10-31 11:18
    Ozz:
    Steve The Cynic:
    I'm confused.

    Was there an injection vuln or was there not? First it says he found one, then it wasn't there when he went to look. What was it?
    Looks like you could log in with any username as long as your password was "star".


    Indeed. Even a blank username would work.

    There was no injection attack because what was entered in the form was never sent to the SQL server at all. You can't get the heroin in the vein if there's no syringe to use.
  • Dan F 2012-10-31 11:20
    As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
  • Justin R 2012-10-31 11:27
    I couldn't agree more with this comment and the OP; They really are like that, shrewd penny pinchers. I make it a business practice to avoid them at all costs.
  • chubertdev 2012-10-31 11:39
    Huge security upgrade:


    If Request("Password") = "correcthorsebatterystar" Then
  • da Doctah 2012-10-31 11:47
    Dan F:
    As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
    I always chuckle when I think of the colleague who, while moonlighting, set up a Realtor's site with music that plays automatically and can't be shut off (which we'll call WTF #1), and how proud she was that she'd discovered the ideal piece of music for the purpose (which we'll call WTF #2):

    Pachelbel's Canon in D.

  • da Doctah 2012-10-31 11:47
    chubertdev:
    Huge security upgrade:


    If Request("Password") = "correcthorsebatterystar" Then
    I believe you don't have my stapler?
  • Abico 2012-10-31 11:50
    Ross Presser:
    Ozz:
    Steve The Cynic:
    I'm confused.

    Was there an injection vuln or was there not? First it says he found one, then it wasn't there when he went to look. What was it?
    Looks like you could log in with any username as long as your password was "star".


    Indeed. Even a blank username would work.

    There was no injection attack because what was entered in the form was never sent to the SQL server at all. You can't get the heroin in the vein if there's no syringe to use.

    Right. So why does it suggest that' OR 1=1;-- worked?
  • DCRoss 2012-10-31 11:53
    Ross Presser:
    There was no injection attack because what was entered in the form was never sent to the SQL server at all. You can't get the heroin in the vein if there's no syringe to use.


    That's what's confusing. How did Emmett spot the SQL injection vulnerability on the login page, and how did he log in with the username "' OR 1=1;--"?

    (Edit: Yeah, what he said.)
  • Techpaul 2012-10-31 11:57
    DCRoss:
    Ross Presser:
    There was no injection attack because what was entered in the form was never sent to the SQL server at all. You can't get the heroin in the vein if there's no syringe to use.


    That's what's confusing. How did Emmett spot the SQL injection vulnerability on the login page, and how did he log in with the username "' OR 1=1;--"?

    (Edit: Yeah, what he said.)


    Because he used that as the USERNAME, and in fact ANY username including blank would work as long as the password was 'star'.
  • Stev 2012-10-31 11:57
    Yeah I'm sure this WTF is plainly obvious to most web developers out there but us mere mortals haven't a clue what's actually happening - an SQL injection, or a hardcoded password?
  • Remy Porter 2012-10-31 11:59
    Yes, but it's still going to show up six more times in the thread.
  • JC 2012-10-31 12:01
    For the people who still don't get this:

    The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

    Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

    No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.
  • Ozz 2012-10-31 12:02
    Stev:
    Yeah I'm sure this WTF is plainly obvious to most web developers out there but us mere mortals haven't a clue what's actually happening - an SQL injection, or a hardcoded password?
    There is no SQL injection vulnerability - at least, not in teh codez as shown.
  • JC 2012-10-31 12:03
    JC:
    For the people who still don't get this:

    The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

    Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

    No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.


    Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.
  • Stev 2012-10-31 12:07
    Ozz:
    Stev:
    Yeah I'm sure this WTF is plainly obvious to most web developers out there but us mere mortals haven't a clue what's actually happening - an SQL injection, or a hardcoded password?
    There is no SQL injection vulnerability - at least, not in teh codez as shown.


    Exactly. So why did the "proof of concept" work?
  • Alexander Harris 2012-10-31 12:07
    JC:
    JC:
    For the people who still don't get this:

    The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

    Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

    No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.


    Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.


    The password field must have been already filled in (saved?) from a previous login?
  • Andrew 2012-10-31 12:11
    TRWTF is Notepad, amirite?
  • Stev 2012-10-31 12:12
    So basically, TRWF is TDWTF.
  • AnonymouseUser 2012-10-31 12:12
    If it's a real estate web site why does someone need to log in?
  • foo 2012-10-31 12:14
    Alexander Harris:
    JC:
    JC:
    For the people who still don't get this:

    The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

    Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

    No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.


    Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.


    The password field must have been already filled in (saved?) from a previous login?
    I think the explanation is quite simple: Too much creative writing going on (ETDWTF). If we get the original story, it will probably make sense.
  • JC 2012-10-31 12:15
    AnonymouseUser:
    If it's a real estate web site why does someone need to log in?


    Maybe clients can log in to see status of their sale/purchase

    Maybe Landlords can log in to see references gathered from prospective tenants.

    Maybe the business owner can log in to update the content of their "news" section.

    Why the fuck does it matter?
  • C-Derb 2012-10-31 12:15
    JC:
    JC:
    For the people who still don't get this:

    The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

    Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

    No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.


    Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.
    Close, but not quite. He is enumerating the records, but is only checking if the form variable "Password" is equal to the value "star" every time through the loop.

    As stated by someone else, he used " or 1=1--" as the username, but must have used "star" as the password.

    Many WTFs going on here, but there is no injection vulnerability because none of the user input is sent to the SQL Server.
  • Andrew 2012-10-31 12:18
    Okay, since no one seems to get it: The login code just loops through the account info stored in the database, and compares the stored passwords to the string "star". Since one of the entries presumably has that password, it'll always log you in. It literally does not matter what the user enters.
  • foo 2012-10-31 12:19
    da Doctah:
    Dan F:
    As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
    I always chuckle when I think of the colleague who, while moonlighting, set up a Realtor's site with music that plays automatically and can't be shut off (which we'll call WTF #1), and how proud she was that she'd discovered the ideal piece of music for the purpose (which we'll call WTF #2):

    Pachelbel's Canon in D.

    For some distraction from Bobby Tables, the obligatory Pachelbel reference: http://www.youtube.com/watch?v=JdxkVQy7QLM

    Blah blah blah, Akismet, blah blah blah, no spam, blah blah blah, see you in hell, blah blah blah ...
  • Andrew 2012-10-31 12:19
    Nevermind, I misread the code. C-Derb is correct. "' OR 1=1; --" could not have worked without a password.
  • Abico 2012-10-31 12:20
    C-Derb:
    JC:
    JC:
    For the people who still don't get this:

    The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

    Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

    No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.


    Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.
    Close, but not quite. He is enumerating the records, but is only checking if the form variable "Password" is equal to the value "star" every time through the loop.

    As stated by someone else, he used " or 1=1--" as the username, but must have used "star" as the password.

    But why would he do that? Especially if he was attempting to demonstrate the injection vulnerability.
  • Abico 2012-10-31 12:21
    Andrew:
    Okay, since no one seems to get it: The login code just loops through the account info stored in the database, and compares the stored passwords to the string "star". Since one of the entries presumably has that password, it'll always log you in. It literally does not matter what the user enters.

    No. It checks the password from Request, not from rs.
  • AnonymouseUser 2012-10-31 12:22
    It matters because that's the first thing any developer should ask. I don't recall ANY real estate sites where there was a login section, anything other than viewing was done over the phone.
  • Sea Sharp, Waves Hurt 2012-10-31 12:23
    If we are to assume any kind of aptitude on the part of the submitter, we must assume that the code show is, as was said once above, what the original code was replaced with. One could imagine that the original code might've been something like this:

    SQL = "SELECT realtor_id, login, password FROM [Realtors] WHERE login = " & Request("Login") & " AND password = " & Request("Password")
    
    Set rs = Conn.Execute(SQL)
    If Not rs.EOF Then
    Session("Logged") = "ON"
    Response.Redirect "realtor_home.asp"
    End If
    I can only imagine that it's possible that obfuscation might've screwed up the actual code and "star" should've been rs("password) ... but, I can't say that for sure. Also, the indentation in the code in the article is all borked.
  • JC 2012-10-31 12:26
    AnonymouseUser:
    It matters because that's the first thing any developer should ask. I don't recall ANY real estate sites where there was a login section, anything other than viewing was done over the phone.


    Literally the first large "real estate" firm I thought of in my country:

    http://www.bairstoweves.co.uk/ - check the top left corner.
  • Alan 2012-10-31 12:29
    Stev:
    Yeah I'm sure this WTF is plainly obvious to most web developers out there but us mere mortals haven't a clue what's actually happening - an SQL injection, or a hardcoded password?


    As a web developer and database person, it still took me a sec. I think that the "example" in the story above doesn't have much to do with the code (somehow??). What the code boils down to is a hard coded password... of course that assumes you have any users in the database (if no users, then it'll never check the hard coded password).

    It is correct however that since the SQL statement is hard coded, it's not vulnerable to SQL injection from user input. What other people suggest (user set to "' OR 1 = 1;--" and password set to "star") is probably what actually happened on the "injection test"
  • Maurits 2012-10-31 12:30
    TRWTF is the unnecessary brackets around [Realtors]; amirite?
  • Alan 2012-10-31 12:31
    AnonymouseUser:
    It matters because that's the first thing any developer should ask. I don't recall ANY real estate sites where there was a login section, anything other than viewing was done over the phone.


    It depends. I know a Realtor who has 14 other Realtors in his office and they can log into their site to get some information. Since she wasn't able to update her own site, however, I'm not sure what she was doing logging in.
  • ¯\(°_o)/¯ I DUNNO LOL 2012-10-31 12:41
    Ozz:
    Steve The Cynic:
    I'm confused.

    Was there an injection vuln or was there not? First it says he found one, then it wasn't there when he went to look. What was it?
    Looks like you could log in with any username as long as your password was "star".
    And it's a good thing, otherwise the server would get stuck in an infinite loop, because "RS.MoveNext" was outside the loop.

    Or that's what I thought until I looked at it again and noticed that the "End If" and "Loop" indents didn't match the start of their blocks. TRWTF is programmers who can't indent properly.
  • Nagesh 2012-10-31 12:42
    This story can be made more colorful, by introduction of more element like hacking, property buying and selling and eventual housing market crash in America.

    All possible due to Judy.
  • ChefJoe 2012-10-31 12:59
    da Doctah:
    Dan F:
    As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
    I always chuckle when I think of the colleague who, while moonlighting, set up a Realtor's site with music that plays automatically and can't be shut off (which we'll call WTF #1), and how proud she was that she'd discovered the ideal piece of music for the purpose (which we'll call WTF #2):

    Pachelbel's Canon in D.


    In MIDI I hope. I prefer to listen to all my music in MIDI so I know that the notes are exactly the ones the artist intended.
  • Mason Wheeler 2012-10-31 12:59
    foo:
    da Doctah:
    Dan F:
    As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
    I always chuckle when I think of the colleague who, while moonlighting, set up a Realtor's site with music that plays automatically and can't be shut off (which we'll call WTF #1), and how proud she was that she'd discovered the ideal piece of music for the purpose (which we'll call WTF #2):

    Pachelbel's Canon in D.

    For some distraction from Bobby Tables, the obligatory Pachelbel reference: http://www.youtube.com/watch?v=JdxkVQy7QLM

    Blah blah blah, Akismet, blah blah blah, no spam, blah blah blah, see you in hell, blah blah blah ...


    Funny seeing that on here. Just this morning I was watching the Four Chords Song, which covers the same basic theme.
  • Lorne Kates 2012-10-31 13:04
    Or that's what I thought until I looked at it again and noticed that the "End If" and "Loop" indents didn't match the start of their blocks. TRWTF is programmers who can't indent properly.


    In this one thing, the original programmer is blameless. That's all me. Indenting in a WYSIWYG is hard.
  • Lorne Kates 2012-10-31 13:05
    The password field must have been already filled in (saved?) from a previous login?


    Correct.
  • xtremezone 2012-10-31 13:26
    TRWTF is that most of the people in the comment section can't understand a simple block of code...

    Also, notepad. Also the submitter's actions. Also the insufficient details from the OP to understand what really happened.
    Lorne Kates:
    In this one thing, the original programmer is blameless. That's all me. Indenting in a WYSIWYG is hard.
    WYSIWYG editors are for lusers. ;)
  • foo 2012-10-31 13:31
    Mason Wheeler:
    foo:
    da Doctah:
    Dan F:
    As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
    I always chuckle when I think of the colleague who, while moonlighting, set up a Realtor's site with music that plays automatically and can't be shut off (which we'll call WTF #1), and how proud she was that she'd discovered the ideal piece of music for the purpose (which we'll call WTF #2):

    Pachelbel's Canon in D.

    For some distraction from Bobby Tables, the obligatory Pachelbel reference: http://www.youtube.com/watch?v=JdxkVQy7QLM

    Blah blah blah, Akismet, blah blah blah, no spam, blah blah blah, see you in hell, blah blah blah ...


    Funny seeing that on here. Just this morning I was watching the Four Chords Song, which covers the same basic theme.
    The real funny thing is that this is 4 chords and Pachelbel is 8 chords, yet they have at least 4 songs in common ...
  • foo 2012-10-31 13:33
    Lorne Kates:
    Or that's what I thought until I looked at it again and noticed that the "End If" and "Loop" indents didn't match the start of their blocks. TRWTF is programmers who can't indent properly.


    In this one thing, the original programmer is blameless. That's all me. Indenting in a WYSIWYG is hard.
    The sweet irony. Last time I checked, WYSIWYG meant "what you see is what you get". So you saw that you get a bad indentation, but were unable to fix it?
  • Pita 2012-10-31 13:34
    Dan F:
    As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
    But you wouldn't buy a home without one :)
  • Coyne 2012-10-31 13:39
    So...ummmm...where's the WTF? Any third-party software sales rep will tell you the only thing that matters is the clean, beautiful, creative, and unique, user interface.

    Reliability? It's reliably pretty! Correctness? It uses all the best grammar! Security? Yes, it has a password field. Quality? Just see that beautiful flashing display!

    Ignore the man behind the curtain...
  • pantsman 2012-10-31 13:45
    TRWTF is that the OP made up the bit about the SQL injection attack demonstration, to spice up the story, and is now too proud to remove it. The story and the code do not match.
  • chubertdev 2012-10-31 13:47
    Wow, I can't believe I forgot this reference until now:

    "Security is for closers."
  • Jazz 2012-10-31 13:47
    Techpaul:
    DCRoss:
    Ross Presser:
    There was no injection attack because what was entered in the form was never sent to the SQL server at all. You can't get the heroin in the vein if there's no syringe to use.


    That's what's confusing. How did Emmett spot the SQL injection vulnerability on the login page, and how did he log in with the username "' OR 1=1;--"?

    (Edit: Yeah, what he said.)


    Because he used that as the USERNAME, and in fact ANY username including blank would work as long as the password was 'star'.


    Right, so how exactly did he know to type "star" as the password when he typed "' OR 1=1;--" as the username?

    He claimed to have a working proof of concept of the vulnerability just by typing "' OR 1=1;--" in the username field. How could he possibly have gotten that result if he didn't know to type "star" in the password field?
  • Cbuttius 2012-10-31 13:48
    The only editors that are hard to do anything properly in are those that don't support my WITIWIM attitude.
  • sql injection 2012-10-31 13:57
    TRWTF is the number of people commenting who like the OP don't seem to understand how SQL injections actually work.
  • john 2012-10-31 14:05
    Made-up story is made-up.

    Made-up story implies that injection was discovered, yet the code permits successful authentication only if the password submitted == 'star'.

    What's the likelihood that a password was even submitted when the injection string (submitted as the user name) closes the SQL statement?

    Made-up story is made-up.
  • C-Derb 2012-10-31 14:07
    Lorne Kates:
    The password field must have been already filled in (saved?) from a previous login?


    Correct.
    If this is in fact true, that the password field on the web page contained the password "star" that was typed in from a previous login attempt, then we have yet another WTF in this story. You are implying that the login form didn't even use a password input field, but a plain text field? So the user would type in a password and it was clearly visible in plain text to anyone who might be looking over their shoulder?

    Honestly, Lorne, you should have just posted the damn code snippet and left the story in your WYSIWYG editor. #storyfail
  • Zylon 2012-10-31 14:13
    Holy (fuck) that (was) annoying (to) read.
  • Mason Wheeler 2012-10-31 14:19
    john:
    Made-up story is made-up.

    Made-up story implies that injection was discovered, yet the code permits successful authentication only if the password submitted == 'star'.


    No, look at it carefully. It didn't check the username and password that were entered, at all. If anyone in the database had the right password, the login would be successful. The stock SQL injection trick worked, but it only worked by accident because any login would have worked.
  • Brian 2012-10-31 14:22
    I saw that at least one other person caught the fact that the MoveNext is OUTSIDE the loop.
  • Lorne Kates 2012-10-31 14:25
    foo:
    Lorne Kates:
    Or that's what I thought until I looked at it again and noticed that the "End If" and "Loop" indents didn't match the start of their blocks. TRWTF is programmers who can't indent properly.


    In this one thing, the original programmer is blameless. That's all me. Indenting in a WYSIWYG is hard.
    The sweet irony. Last time I checked, WYSIWYG meant "what you see is what you get". So you saw that you get a bad indentation, but were unable to fix it?


    No. I saw indentation. I didn't get what I saw.
  • john 2012-10-31 14:25
    If Request("Password") = "star" Then

    If the submitted password is equal to 'star'. It's very clear, no?
  • john 2012-10-31 14:27
    Mason Wheeler:
    john:
    Made-up story is made-up.

    Made-up story implies that injection was discovered, yet the code permits successful authentication only if the password submitted == 'star'.


    No, look at it carefully. It didn't check the username and password that were entered, at all. If anyone in the database had the right password, the login would be successful. The stock SQL injection trick worked, but it only worked by accident because any login would have worked.


    If Request("Password") = "star" Then



    If the submitted password is equal to 'star'. It's very clear, no?
  • pjt33 2012-10-31 14:28
    Lorne Kates:
    In this one thing, the original programmer is blameless. That's all me. Indenting in a WYSIWYG is hard.

    WYSIWYG editors are TRWTF.
  • thegoddamnbatman 2012-10-31 14:30
    Whether the story is true or not, I am curious to see how it ends. Will our stalwart hero convince the Judy S. Kirkland (5 Star something-or-rather) to upgrade the website security? Will the project become an entirely new WTF? Or will one of the other Super-Realtor-Villans take the #1 spot?

    Stay tuned! Same WTF-Time, Same WTF-Channel.
  • Abico 2012-10-31 14:35
    Mason Wheeler:
    john:
    Made-up story is made-up.

    Made-up story implies that injection was discovered, yet the code permits successful authentication only if the password submitted == 'star'.


    No, look at it carefully. It didn't check the username and password that were entered, at all. If anyone in the database had the right password, the login would be successful. The stock SQL injection trick worked, but it only worked by accident because any login would have worked.

    Look at it carefullier. Yes, it did check the password that was entered. The Request object is what comes from the browser.
  • chubertdev 2012-10-31 14:49
    Don't forget:


    login.asp?Password=star
  • Jockamo 2012-10-31 15:10
    How does this confuse you all so much?


    This:
    If Request("Password") = "star" Then


    IS ALWAYS TRUE.
  • john 2012-10-31 15:21
    Jockamo:
    How does this confuse you all so much?


    This:
    If Request("Password") = "star" Then


    IS ALWAYS TRUE.


    No. Here, as a conditional statement, the equality sign means equality and not assignment.
  • Abico 2012-10-31 15:25
    Jockamo:
    How does this confuse you all so much?


    This:
    If Request("Password") = "star" Then


    IS ALWAYS TRUE.

    Not all languages have ==.
  • Nappy 2012-10-31 15:37
    "[b]Not[/] a proof of concept (successful login with username: ' OR 1=1;--) "

    There was no proof of concept (that would usually test something like .....)
  • C-Derb 2012-10-31 15:42
    Nappy:
    "[b]Not[/] a proof of concept (successful login with username: ' OR 1=1;--) "

    There was no proof of concept (that would usually test something like .....)
    Bad try.
    The sentence before that one is the key: "But nothing could convince Judy S. Kirkland (Gold Star Closer) to spend money on beefing up the code's security. Not a proof of concept...Not....Not..."
  • Maurits 2012-10-31 16:18
    john:
    Jockamo:
    How does this confuse you all so much?


    This:
    If Request("Password") = "star" Then


    IS ALWAYS TRUE.


    No. Here, as a conditional statement, the equality sign means equality and not assignment.


    This is one of the rare cases where Basic is actually superior to C++; another is Select Case vs. switch.
  • Melnorme 2012-10-31 16:29
    Decline of TDWTF comments. WTF you guys
  • Leak 2012-10-31 16:40
    Lorne Kates:
    That's all me. Indenting in a WYSIWYG is hard.

    Honestly I'd prefer a simple WYSIWTF editor...
  • DB 2012-10-31 16:41
    Fail. (Blah Blah Blah Blah Blah).
  • logged in guy 2012-10-31 17:21
    But what does it mean to be "logged in" ?

    Maybe having a "star" in the passwords just means that the website works. Remove the star and the site is disabled.
  • Meanie 2012-10-31 17:25
    foo:
    Alexander Harris:
    JC:
    JC:
    For the people who still don't get this:

    The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

    Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

    No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.


    Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.


    The password field must have been already filled in (saved?) from a previous login?
    I think the explanation is quite simple: Too much creative writing going on (ETDWTF). If we get the original story, it will probably make sense.
    I'll take it a step further and suggest that aside from a lot of creative writing, there's occasionally a WTF that the writer doesn't fully understand - but if it's related to DB's it must have been an SQL injection vulnerability.
  • John 2012-10-31 17:28
    Andrew:
    Nevermind, I misread the code. C-Derb is correct. "' OR 1=1; --" could not have worked without a password.

    I think the article and the code have been anonymized - badly.
    For every password in the database, compare a constant string with the variable on the form.

    I think the badness here is exaggerated a lot
  • Mike 2012-10-31 17:31
    AnonymouseUser:
    It matters because that's the first thing any developer should ask. I don't recall ANY real estate sites where there was a login section, anything other than viewing was done over the phone.
    Serious? Go look for some realestate sites. They all seem to have logins. In fact, I think it's practically illegal these days to have a website with no logins. You'll never make it in the real world (TM).

    I think with Real Estate sites, one of the reasons is so you can set up monitors on properties of interest...Useful? Probably not, but I can sort of see why people would do it...
  • chubertdev 2012-10-31 17:35
    chubertdev:
    Don't forget:


    login.asp?Password=star


    For those that aren't familiar with ASP, the Request object has five collections:
    1) ClientCertificate
    2) Cookies
    3) Form
    4) QueryString
    5) ServerVariables

    So to properly pull from a form field, you would use this:

    Request.Form("Password")


    And to pull from a URL:

    Request.QueryString("Password")


    I know that Request("Password") will pull from the Form and QueryString collections, not sure which of the other three it could pull from.

    Either way, not a huge security risk, just sloppy. I definitely have the feeling that this is another case of someone who "likes" computers trying programming, and creating code that shows the wide divide between knowing how to get something working, and doing a job correctly.
  • foo 2012-10-31 17:36
    Meanie:
    foo:
    Alexander Harris:
    JC:
    JC:
    For the people who still don't get this:

    The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

    Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

    No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.


    Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.


    The password field must have been already filled in (saved?) from a previous login?
    I think the explanation is quite simple: Too much creative writing going on (ETDWTF). If we get the original story, it will probably make sense.
    I'll take it a step further and suggest that aside from a lot of creative writing, there's occasionally a WTF that the writer doesn't fully understand - but if it's related to DB's it must have been an SQL injection vulnerability.
    Maybe gool ol' Bobby Tables isn't quite as over-quoted as some think ...
  • Smarty Tablets 2012-10-31 17:44
    Let me join the war too...

    I suspect what might have happened is....

    Real Acetate agent is logged in.
    Emmet does his 'SQL Injection test'
    Emmet assumes (since the Session hasn't actually loggerd out with the new login attempt) that his SQL Injection works
    Emmet discovers about 500 WTF's in 5 lines of code....

    Let's recap
    1) There is no SQL injjection
    2) The password is checked (repeatedly), but not against anything in the DB
    3) Once someone is logged in, subsequent logins from the same machine will remain logged in (with the same privileges).
    4) (I'm guessing) there is exactly 1 password in the DB and it's "star", but the RE agent doesn't realise it could be "FRED" and everything would still work (or not work) the same....
  • Derp 2012-10-31 18:55
    So many people not grasping the facts. A few that do.

    1) the RS.MoveNext *is* inside the loop, it's the crappy indentation that's throwing anyone who believes otherwise

    2) it's not comparing against any field in the recordset, it's comparing the Request Form/Querystring variable "password" for the value "star". The recordset enumeration is pointless. As there's no querying or modification using any parameters from the user, it's most likely immune to SQL injection, assuming there are no unicorns or rainbows.

    3) ASP (which, server-side uses VBScript) does not have = and == for assignment and comparison, only = which does both depending on context

    4) Request("Password") - if you omit the collection name to enumerate from Request, then ASP will enumerate ALL collections in this order: -

    1. QueryString
    2. Form
    3. Cookies
    4. ClientCertificate
    5. ServerVariables

    This is a WTF (in my opinion) on ASP's part; good practice would IMO be to always be explicit and not really on magic to handle defaults.

    I think the intention is to capture it from either the form or querystring, form most likely.

    5) The sequence of events in this poor guy's story was, I believe: -

    1. Discover SQL injection attack ( OR 1 = 1)
    2. Prove this to dumbass client
    3. Re-write login method to what we can see in the article


    TRWTF is most of the responses here.

    That is all.
  • chubertdev 2012-10-31 19:11
    The database query IS used, it makes the page take a little bit longer so that it looks like it's thinking, enhancing the user experience. :)
  • Maurits 2012-10-31 19:28
    chubertdev:
    The database query IS used, it makes the page take a little bit longer so that it looks like it's thinking, enhancing the user experience. :)


    Also, if the recordset is empty, then login fails regardless of the password.
  • Meep 2012-10-31 20:35
    Stev:
    Yeah I'm sure this WTF is plainly obvious to most web developers out there but us mere mortals haven't a clue what's actually happening - an SQL injection, or a hardcoded password?


    You really can't follow a simple loop stepping through a SQL result set?
  • Abico 2012-10-31 21:57
    Meep:
    Stev:
    Yeah I'm sure this WTF is plainly obvious to most web developers out there but us mere mortals haven't a clue what's actually happening - an SQL injection, or a hardcoded password?


    You really can't follow a simple loop stepping through a SQL result set?

    I'm guessing Stev meant it's not obvious to a non-web developer which is happening. The story complicated things by making it sound like an SQL injection attack worked, when I think the author meant it *appeared* to work.
  • Rohit 2012-10-31 22:38
    I like Java PreparedStatement, it atleast save from this SQL Injection
  • noland 2012-10-31 22:44
    Michael:
    should be "...Or worse? Who would trust their home with someone who used Comic Sans?"

    This, my Sir, was the hand-picked font, all set tastefully in chartreuse.

    Imagine this being replaced by Times Roman Regular – what a thought, no more Most Requested Upper Echelon Realtor Website of the Year (2012)!
  • Brian 2012-10-31 22:50
    Man, I'm an idiot. Damn you horrible indentation!
  • herby 2012-11-01 01:13
    Real estate people, where to begin. A while ago (it was around 15 years ago) they setup the local MLS to have pictures. The IDs were 9 digits long, and they had a special program that would take any bunch of text and find the 9 digit numbers then fetch pictures. Of course they had to have their own private network that you needed to dial in (no internet, to unsecure!) so it involved specialized programs. They all worked well until the 9 digit field overflowed and they started using numbers starting with zero. Then they didn't have 9 digit numbers any more and it all failed. Oh, well.

    Bunch of "self important" people.
  • Ardi 2012-11-01 02:55
    Yes, bookmarking the url that has the password is bad. Anything entered in the log in fields will log you in. But no one has mentioned, you might as well bookmark /realtor_home.asp and completely skip the log in screen. That's Real Security. Google has probably already indexed the "secure" page and has it in search results with a direct link :)
  • Another Andrew 2012-11-01 03:15
    Ok, TRWTF is the story.

    The Proof of concept wouldn't work against the offending code as presented at the end of the article; ever. The SELECT query was doing nothing regardless.

    I suppose the other WTF's were everyone tripping over assignment and equality in the vbscript or mistaking request("password") for something like rs("password").

    If we are to believe that the block of code presented at the end of the article is the solution that the developer came up with then we have another RWTF and that is this guy writing code. A better solution would have been to use request.form() to prevent query stirng submissions, write a function to sanitize anything that hits the database and use stored procedures and tokens instead of SQL queries.
  • Turd Whiskers 2012-11-01 05:12
    So why exactly is Pachelbel's Canon etc. supposed to be a WTF?
  • chris 2012-11-01 07:35
    ChefJoe:
    da Doctah:
    Dan F:
    As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
    I always chuckle when I think of the colleague who, while moonlighting, set up a Realtor's site with music that plays automatically and can't be shut off (which we'll call WTF #1), and how proud she was that she'd discovered the ideal piece of music for the purpose (which we'll call WTF #2):

    Pachelbel's Canon in D.


    In MIDI I hope. I prefer to listen to all my music in MIDI so I know that the notes are exactly the ones the artist intended.

    Agreed - a lot of modern musicians seem to struggle with some of the real classics.
  • Ryan 2012-11-01 07:40
    "TRWTF is that the result set of that query isn't used in a meaningful way. Sure, we cycle over every row returned, but in each cycle we compare the user-supplied password to "star" instead of the appropriate table column."

    Man, nothing gets by you.
  • G 2012-11-01 10:46
    Ryan:
    "TRWTF is that the result set of that query isn't used in a meaningful way. Sure, we cycle over every row returned, but in each cycle we compare the user-supplied password to "star" instead of the appropriate table column."

    Man, nothing gets by you.

    Your sarcasm would have been adequate, if there were not already three pages of other comments that still do not get the "obvious".
  • John Hensley 2012-11-01 11:13
    TRWTF is calling images on a web site "polaroids." Who does this?
  • Abico 2012-11-01 11:15
    John Hensley:
    TRWTF is calling images on a web site "polaroids." Who does this?

    I could be wrong, but I took it to literally mean scans of Polaroids.
  • JJ 2012-11-01 12:30
    Smarty Tablets:
    2) The password is checked (repeatedly), but not against anything in the DB

    I just want to make one thing clear: When the password is correct, the rows are not iterated. This is because Response.Redirect is basically like a return statement: execution ends immediately. The recordset will only be fully (and uselessly) iterated when the password is incorrect.
  • COMIC SAAAAAAANS! 2012-11-01 13:40
    Hell, why not go the whole hog?
    Who would trust their home with someone who used Comic Sans?
  • Lorne Kates 2012-11-01 15:30
    Who would trust their home with someone who DIDN'T use Comic Sans?


    Sidenote: browser.blink_allowed: false FTW!
  • Lachlan 2012-11-01 19:17
    Am I reading this wrong?
    I don't know VB (well it looks like VB), but doesnt:

    If Request("Password") = "star" Then

    Assign the value "start" to Request("Password"), thus returning true and letting anyone log in?
  • T.R. 2012-11-02 05:29
    Lachlan:
    Am I reading this wrong?
    I don't know VB (well it looks like VB), but doesnt:

    If Request("Password") = "star" Then

    Assign the value "start" to Request("Password"), thus returning true and letting anyone log in?


    No, the "=" operator here tests for equality, it's not an assignment operator.
    "=" is ambiguous in VB etc? this is why C-like languages use "==" for equlity test and "=" for assignment.

    Actually what this code does is quite simple :
    It loops through the DB records and for each record found, compares the user supplied password with "star".

    So you will get looged in if both of the following conditions are true :

    1. You supplied "star" as password in your request, perhaps by adding "?Password=star" in the url.
    2.The DB table has at least one record.
  • MrBester 2012-11-02 10:10
    Jesus fucking bald-headed Christ in a sidecar drinking Slippery Nipples. It says twice in the article (once implied by the filename) that this is Classic ASP. If you don't know either of the possible languages the code could have been written in (this one used VBScript. Not VB, not VB.NET) then please STFU and stop assuming every language works like C++ even when it doesn't fucking look remotely similar.

    If there are no records in the recordset then no login will succeed. You could argue that this is correct behaviour as there is no user record to "check" against but it is purely coincidental.

    If any property of any of the 5 collections that Request can look through is called "password" (case insensitive FTW) and contains the value "star" then the login succeeds. If the value is not "star" or the property doesn't exist then no login succeeds.

    Therefore there is one password, irrespective of username (which is ignored anyway).
  • Pants 2012-11-03 01:38
    I wager the reason the injection worked is buried in the missing context. Does the session being logged do anything? Do you get a redirect to the same page even if your credentials are invalid?

    A person who iterates through all the records in a table while comparing two values that have no relation to the db data is the same person who knows sessions are important but does do anything other than log you in.

    Then again, maybe the session variable didn't get cleared. He had one good log in and then could punch in literally anything. Yeah. I'm changing my vote to this.
  • wernsey 2012-11-05 03:41
    Several days late already, but please let me have a try:
    1) He walks over to Judy's computer and opens the browser on the login page.
    2) The username and password is saved because Judy clicked "Yes" on the "do you want internet explorer to save this password?" prompt without actually reading it.
    3) He replaces the username field with ' OR 1=1;--
    4) The password stays ****
    5) He logs in successfully, thus proving that there's a SQL injection vulnerability.
    6) When he looks at the code he discovers that the situation is a bit different.

    As always, TRWTF is the comments.
  • Neil 2012-11-07 12:50
    Lorne Kates:
    color=red;text-decoration: blink;font-family:Comic Sans MS, cursive, sans-serif;font-size:36pt
    Wait, BBCode injection attack?
    Lorne Kates:
    Sidenote: browser.blink_allowed: false FTW!
    Sorry, but that no longer suffices; see http://jsfiddle.net/CLKEw/ for example.
  • Seele 2012-11-10 13:47
    It matters because the vulnerability allows anyone to log in as site administrator and do pretty much anything - deface the website, steal confidential client data etc.
  • stackozone 2012-11-22 03:18
    On the other hand, http://www.bubbleinfo.com seems to be pretty decent.