|
I would have done the same. When I read the first few lines I thought it was some kind of joke and then it got worse.
|
|
|
|
|
Open this below link in Firefox and look at the top of the page!
click[^]
"hi, I am explorer.exe. sometimes when you are doing anything at all, I will just freeze for ten minutes. All of my brother and sister windows will also freeze, because they are sad for me. Maybe we will come back, maybe not, it will be a surprise!"
|
|
|
|
|
its in the HTML. Someone should really learn how to comment HTML correctly.
|
|
|
|
|
leppie wrote: Someone should really learn how to comment HTML correctly.
Yeah, it is not that hard
"The clue train passed his station without stopping." - John Simmons / outlaw programmer
|
|
|
|
|
|
Sweet. SQL Injection attack anyone?
|
|
|
|
|
How? It's server side code being rendered to the client so there's no attack vector there.
cheers,
Chris Maunder
CodeProject.com : C++ MVP
|
|
|
|
|
Chris Maunder wrote: How? It's server side code being rendered to the client so there's no attack vector there.
True - but you've now seen the name of tables, and it's obvious that Stored Procs aren't being used. As soon as you find an input form, the attack surface has been opened up.
|
|
|
|
|
Not as bad as one I discovered recently: Database connection strings stored in a publicly accessible txt file coupled with request strings being completely unvalidated before being appended to various SQL queries. Had a call from the client one day asking if it was us that created the 'slartibartfast' table. It turned out to be some bloke on the other side of the world having a bit of fun. Reminds me of my favourite XKCD[^].
|
|
|
|
|
The question is, did they know who Slartibartfast was?
|
|
|
|
|
Can people be so dumb? I would not be surprised if they put the FTP credentials of the website as a comment in the index.html under the pretext of ease of maintenance.
Vasudevan Deepak Kumar
Personal Homepage Tech Gossips
A pessimist sees only the dark side of the clouds, and mopes; a philosopher sees both sides, and shrugs; an optimist doesn't see the clouds at all - he's walking on them. --Leonard Louis Levinson
|
|
|
|
|
Pete O'Hanlon wrote: SQL Injection attack anyone?
Totally. Think of any good ones?
"The clue train passed his station without stopping." - John Simmons / outlaw programmer
|
|
|
|
|
Paul Conrad wrote: Totally. Think of any good ones?
It does sound a bit "Capture the flag"
|
|
|
|
|
|
Oh my FREAKING God....
That makes me twitch. That's such a horrible security flub.
|
|
|
|
|
All you've got are table names (and for the movie table only) - you can't actually get access. It's dumb and stupid but not a humungous breach
cheers,
Chris Maunder
CodeProject.com : C++ MVP
|
|
|
|
|
As has already been pointed out... We now know that they use inline SQL, so the first input page you come too makes it ripe to do the injection attack with a 'drop tables' in it.
|
|
|
|
|
The real WTF is ADODB!
Pits fall into Chuck Norris.
|
|
|
|
|
Brady Kelly wrote: real WTF is ADODB
Yep.
"The clue train passed his station without stopping." - John Simmons / outlaw programmer
|
|
|
|
|
Daily WTF material right here... this is fantastic
|
|
|
|
|
|
yeah,Opera could see it
but,why IE not?? ![Big Grin | :-D](https://codeproject.freetls.fastly.net/script/Forums/Images/smiley_biggrin.gif)
|
|
|
|
|
Rather odd. Go to index.asp and it renders correctly. Someone hasn't set the default pages up correctly in IIS up properly.
|
|
|
|
|
Bad code behind, I guess...
"The clue train passed his station without stopping." - John Simmons / outlaw programmer
|
|
|
|
|
It's inline server tags, not code behind. And, in fact, their other pages are in classic ASP, not ASP.NET (extension is .asp, not .aspx)
|
|
|
|