• Remy Porter (cs)

    Obligatory Bobby Tables reference.

  • Samuele Mattiuzzo (unregistered)

    This won't make Judy S. ( 5 time MostFaithful person award ) happy.

  • Cantabrigian (cs) in reply to Remy Porter
    Remy Porter:
    Obligatory Bobby Tables reference.

    It was already in the article: Not even showing her The Dreaded Obligatory Cartoon.

  • Anon Ymous (unregistered)

    So you could access the admin page by changing your "Logged" session variable to "ON"?

  • imgx64 (unregistered) in reply to Anon Ymous
    Anon Ymous:
    So you could access the admin page by changing your "Logged" session variable to "ON"?

    No. Session variables are stored on the server.

  • Sven (unregistered) in reply to Anon Ymous
    Anon Ymous:
    So you could access the admin page by changing your "Logged" session variable to "ON"?
    Session variables are stored on the server in ASP, all you have on the client is a cookie is the session ID. So you can't change that value.
  • Steve The Cynic (cs)

    I'm confused.

    Was there an injection vuln or was there not? First it says he found one, then it wasn't there when he went to look. What was it?

  • JAPH (unregistered)

    TRWTF is that the result set of that query isn't used in a meaningful way. Sure, we cycle over every row returned, but in each cycle we compare the user-supplied password to "star" instead of the appropriate table column.

  • Bobby Tables (unregistered) in reply to Steve The Cynic

    The code snippet shown was after Emmett fixed the sql injection vulnerability.

  • Ozz (unregistered) in reply to Steve The Cynic
    Steve The Cynic:
    I'm confused.

    Was there an injection vuln or was there not? First it says he found one, then it wasn't there when he went to look. What was it?

    Looks like you could log in with any username as long as your password was "star".

  • Michael (unregistered)

    should be "...Or worse? Who would trust their home with someone who used Comic Sans?"

  • Ross Presser (unregistered) in reply to Ozz
    Ozz:
    Steve The Cynic:
    I'm confused.

    Was there an injection vuln or was there not? First it says he found one, then it wasn't there when he went to look. What was it?

    Looks like you could log in with any username as long as your password was "star".

    Indeed. Even a blank username would work.

    There was no injection attack because what was entered in the form was never sent to the SQL server at all. You can't get the heroin in the vein if there's no syringe to use.

  • Dan F (unregistered)

    As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.

  • Justin R (unregistered) in reply to Dan F

    I couldn't agree more with this comment and the OP; They really are like that, shrewd penny pinchers. I make it a business practice to avoid them at all costs.

  • chubertdev (cs)

    Huge security upgrade:

    If Request("Password") = "correcthorsebatterystar" Then
    
  • da Doctah (cs) in reply to Dan F
    Dan F:
    As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
    I always chuckle when I think of the colleague who, while moonlighting, set up a Realtor's site with music that plays automatically and can't be shut off (which we'll call WTF #1), and how proud she was that she'd discovered the ideal piece of music for the purpose (which we'll call WTF #2):

    Pachelbel's Canon in D.

  • da Doctah (cs) in reply to chubertdev
    chubertdev:
    Huge security upgrade:
    If Request("Password") = "correcthorsebatterystar" Then
    
    I believe you don't have my stapler?
  • Abico (unregistered) in reply to Ross Presser
    Ross Presser:
    Ozz:
    Steve The Cynic:
    I'm confused.

    Was there an injection vuln or was there not? First it says he found one, then it wasn't there when he went to look. What was it?

    Looks like you could log in with any username as long as your password was "star".

    Indeed. Even a blank username would work.

    There was no injection attack because what was entered in the form was never sent to the SQL server at all. You can't get the heroin in the vein if there's no syringe to use.

    Right. So why does it suggest that' OR 1=1;-- worked?

  • DCRoss (cs) in reply to Ross Presser
    Ross Presser:
    There was no injection attack because what was entered in the form was never sent to the SQL server at all. You can't get the heroin in the vein if there's no syringe to use.

    That's what's confusing. How did Emmett spot the SQL injection vulnerability on the login page, and how did he log in with the username "' OR 1=1;--"?

    (Edit: Yeah, what he said.)

  • Techpaul (unregistered) in reply to DCRoss
    DCRoss:
    Ross Presser:
    There was no injection attack because what was entered in the form was never sent to the SQL server at all. You can't get the heroin in the vein if there's no syringe to use.

    That's what's confusing. How did Emmett spot the SQL injection vulnerability on the login page, and how did he log in with the username "' OR 1=1;--"?

    (Edit: Yeah, what he said.)

    Because he used that as the USERNAME, and in fact ANY username including blank would work as long as the password was 'star'.

  • Stev (unregistered)

    Yeah I'm sure this WTF is plainly obvious to most web developers out there but us mere mortals haven't a clue what's actually happening - an SQL injection, or a hardcoded password?

  • Remy Porter (cs) in reply to Cantabrigian

    Yes, but it's still going to show up six more times in the thread.

  • JC (unregistered)

    For the people who still don't get this:

    The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

    Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

    No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.

  • Ozz (unregistered) in reply to Stev
    Stev:
    Yeah I'm sure this WTF is plainly obvious to most web developers out there but us mere mortals haven't a clue what's actually happening - an SQL injection, or a hardcoded password?
    There is no SQL injection vulnerability - at least, not in teh codez as shown.
  • JC (unregistered) in reply to JC
    JC:
    For the people who still don't get this:

    The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

    Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

    No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.

    Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.

  • Stev (unregistered) in reply to Ozz
    Ozz:
    Stev:
    Yeah I'm sure this WTF is plainly obvious to most web developers out there but us mere mortals haven't a clue what's actually happening - an SQL injection, or a hardcoded password?
    There is no SQL injection vulnerability - at least, not in teh codez as shown.

    Exactly. So why did the "proof of concept" work?

  • Alexander Harris (unregistered) in reply to JC
    JC:
    JC:
    For the people who still don't get this:

    The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

    Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

    No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.

    Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.

    The password field must have been already filled in (saved?) from a previous login?

  • Andrew (unregistered)

    TRWTF is Notepad, amirite?

  • Stev (unregistered)

    So basically, TRWF is TDWTF.

  • AnonymouseUser (unregistered)

    If it's a real estate web site why does someone need to log in?

  • foo (unregistered) in reply to Alexander Harris
    Alexander Harris:
    JC:
    JC:
    For the people who still don't get this:

    The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

    Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

    No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.

    Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.

    The password field must have been already filled in (saved?) from a previous login?

    I think the explanation is quite simple: Too much creative writing going on (ETDWTF). If we get the original story, it will probably make sense.
  • JC (unregistered) in reply to AnonymouseUser
    AnonymouseUser:
    If it's a real estate web site why does someone need to log in?

    Maybe clients can log in to see status of their sale/purchase

    Maybe Landlords can log in to see references gathered from prospective tenants.

    Maybe the business owner can log in to update the content of their "news" section.

    Why the fuck does it matter?

  • C-Derb (unregistered) in reply to JC
    JC:
    JC:
    For the people who still don't get this:

    The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

    Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

    No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.

    Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.

    Close, but not quite. He is enumerating the records, but is only checking if the form variable "Password" is equal to the value "star" every time through the loop.

    As stated by someone else, he used " or 1=1--" as the username, but must have used "star" as the password.

    Many WTFs going on here, but there is no injection vulnerability because none of the user input is sent to the SQL Server.

  • Andrew (unregistered)

    Okay, since no one seems to get it: The login code just loops through the account info stored in the database, and compares the stored passwords to the string "star". Since one of the entries presumably has that password, it'll always log you in. It literally does not matter what the user enters.

  • foo (unregistered) in reply to da Doctah
    da Doctah:
    Dan F:
    As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
    I always chuckle when I think of the colleague who, while moonlighting, set up a Realtor's site with music that plays automatically and can't be shut off (which we'll call WTF #1), and how proud she was that she'd discovered the ideal piece of music for the purpose (which we'll call WTF #2):

    Pachelbel's Canon in D.

    For some distraction from Bobby Tables, the obligatory Pachelbel reference: http://www.youtube.com/watch?v=JdxkVQy7QLM

    Blah blah blah, Akismet, blah blah blah, no spam, blah blah blah, see you in hell, blah blah blah ...

  • Andrew (unregistered) in reply to Andrew

    Nevermind, I misread the code. C-Derb is correct. "' OR 1=1; --" could not have worked without a password.

  • Abico (unregistered) in reply to C-Derb
    C-Derb:
    JC:
    JC:
    For the people who still don't get this:

    The code is enumerating all the passwords in the database, as long as any one of them is "star" the user is logged in.

    Thus, it doesnt matter if you typed, "star", "OR 1=1--" or "letmein" in the password field, as long as the database had a user with password "star", you're logged in.

    No SQL Vulnerability, submitter just tried a common exploit and it worked - at which point s/he assumed SQL Injection was the cause.

    Ignore that, just looked again and its enumerating the records, but checking the field had "star" in it. Now im just as confused as everyone else why "OR 1=1--" worked.

    Close, but not quite. He is enumerating the records, but is only checking if the form variable "Password" is equal to the value "star" every time through the loop.

    As stated by someone else, he used " or 1=1--" as the username, but must have used "star" as the password.

    But why would he do that? Especially if he was attempting to demonstrate the injection vulnerability.
  • Abico (unregistered) in reply to Andrew
    Andrew:
    Okay, since no one seems to get it: The login code just loops through the account info stored in the database, and compares the stored passwords to the string "star". Since one of the entries presumably has that password, it'll always log you in. It literally does not matter what the user enters.
    No. It checks the password from Request, not from rs.
  • AnonymouseUser (unregistered) in reply to JC

    It matters because that's the first thing any developer should ask. I don't recall ANY real estate sites where there was a login section, anything other than viewing was done over the phone.

  • Sea Sharp, Waves Hurt (unregistered)

    If we are to assume any kind of aptitude on the part of the submitter, we must assume that the code show is, as was said once above, what the original code was replaced with. One could imagine that the original code might've been something like this:

    SQL = "SELECT realtor_id, login, password FROM [Realtors] WHERE login = " & Request("Login") & " AND password = " & Request("Password")
    Set rs = Conn.Execute(SQL)
    If Not rs.EOF Then
    	Session("Logged") = "ON"
    	Response.Redirect "realtor_home.asp"
    End If
    I can only imagine that it's possible that obfuscation might've screwed up the actual code and "star" should've been rs("password) ... but, I can't say that for sure. Also, the indentation in the code in the article is all borked.
  • JC (unregistered) in reply to AnonymouseUser
    AnonymouseUser:
    It matters because that's the first thing any developer should ask. I don't recall ANY real estate sites where there was a login section, anything other than viewing was done over the phone.

    Literally the first large "real estate" firm I thought of in my country:

    http://www.bairstoweves.co.uk/ - check the top left corner.

  • Alan (unregistered) in reply to Stev
    Stev:
    Yeah I'm sure this WTF is plainly obvious to most web developers out there but us mere mortals haven't a clue what's actually happening - an SQL injection, or a hardcoded password?

    As a web developer and database person, it still took me a sec. I think that the "example" in the story above doesn't have much to do with the code (somehow??). What the code boils down to is a hard coded password... of course that assumes you have any users in the database (if no users, then it'll never check the hard coded password).

    It is correct however that since the SQL statement is hard coded, it's not vulnerable to SQL injection from user input. What other people suggest (user set to "' OR 1 = 1;--" and password set to "star") is probably what actually happened on the "injection test"

  • Maurits (cs)

    TRWTF is the unnecessary brackets around [Realtors]; amirite?

  • Alan (unregistered) in reply to AnonymouseUser
    AnonymouseUser:
    It matters because that's the first thing any developer should ask. I don't recall ANY real estate sites where there was a login section, anything other than viewing was done over the phone.

    It depends. I know a Realtor who has 14 other Realtors in his office and they can log into their site to get some information. Since she wasn't able to update her own site, however, I'm not sure what she was doing logging in.

  • ¯\(°_o)/¯ I DUNNO LOL (unregistered) in reply to Ozz
    Ozz:
    Steve The Cynic:
    I'm confused.

    Was there an injection vuln or was there not? First it says he found one, then it wasn't there when he went to look. What was it?

    Looks like you could log in with any username as long as your password was "star".
    And it's a good thing, otherwise the server would get stuck in an infinite loop, because "RS.MoveNext" was outside the loop.

    <span style="color:#cccccc;">Or that's what I thought until I looked at it again and noticed that the &quot;End If&quot; and &quot;Loop&quot; indents didn't match the start of their blocks. TRWTF is programmers who can't indent properly.</span>

  • Nagesh (cs)

    This story can be made more colorful, by introduction of more element like hacking, property buying and selling and eventual housing market crash in America.

    All possible due to Judy.

  • ChefJoe (unregistered) in reply to da Doctah
    da Doctah:
    Dan F:
    As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
    I always chuckle when I think of the colleague who, while moonlighting, set up a Realtor's site with music that plays automatically and can't be shut off (which we'll call WTF #1), and how proud she was that she'd discovered the ideal piece of music for the purpose (which we'll call WTF #2):

    Pachelbel's Canon in D.

    In MIDI I hope. I prefer to listen to all my music in MIDI so I know that the notes are exactly the ones the artist intended.

  • Mason Wheeler (cs) in reply to foo
    foo:
    da Doctah:
    Dan F:
    As soon as I saw "Real Estate Agent" I knew it was going to be good. Every single agent I have ever met (and I meet lots in my line of work) has been a shallow, superficial, arrogant Luddite.
    I always chuckle when I think of the colleague who, while moonlighting, set up a Realtor's site with music that plays automatically and can't be shut off (which we'll call WTF #1), and how proud she was that she'd discovered the ideal piece of music for the purpose (which we'll call WTF #2):

    Pachelbel's Canon in D.

    For some distraction from Bobby Tables, the obligatory Pachelbel reference: http://www.youtube.com/watch?v=JdxkVQy7QLM

    Blah blah blah, Akismet, blah blah blah, no spam, blah blah blah, see you in hell, blah blah blah ...

    Funny seeing that on here. Just this morning I was watching the Four Chords Song, which covers the same basic theme.

  • Lorne Kates (cs) in reply to ¯\(°_o)/¯ I DUNNO LOL
    Or that's what I thought until I looked at it again and noticed that the "End If" and "Loop" indents didn't match the start of their blocks. TRWTF is programmers who can't indent properly.

    In this one thing, the original programmer is blameless. That's all me. Indenting in a WYSIWYG is hard.

  • Lorne Kates (cs) in reply to Alexander Harris
    The password field must have been already filled in (saved?) from a previous login?

    Correct.

Leave a comment on “Real Security”

Log In or post as a guest

Replying to comment #:

« Return to Article