What is Digg?Sponsored by The Fourth Kind
What does 3:33 AM mean to you? view!
facebook.com - People have reported alien encounters taking place at 3:33AM. Do you believe? The Fourth Kind - Now Playing.
91 Comments
- inactive, on 10/12/2007, -2/+41Googlebot is the new Darwin. It's gonna weed out the weak web sites until we have nothing but a lean, mean, super-ultra internet.
- laelfrog, on 10/12/2007, -0/+38Wow.. Just Wow... Authenticated variable in a cookie? are you insane?
Do people get paid for this kind of work?
Quoting a comment on that page :
"So the logic something like:
if (getCookie(isLoggedOn) != "false")
CongratulationsYouAreLoggedIn()
Why would anyone do that??..." - craigtheguru, on 10/12/2007, -2/+37Moral of the story: be competent.
- dongiaconia, on 10/12/2007, -3/+28@Chapter80: There is a distinct difference between Prose & Blank Verse and text written for the Internet. I believe laelfrog typed his response as he would have said it aloud. "Wow.... Just wow..." Makes perfect sense when heard aloud. Most comments you will find on here are written as they would be heard in modern day speech.
So on behalf of the younger generation, if you are here to complain about how people talk these days, why don't you take your eloquent diction and your fancy word book and defenestrate them along with your pedantic verbose attitude? - inactive, on 10/12/2007, -0/+22The guy that coded the site is in the wrong business... he should be coding ATMs.
No debit card?? cha-ching... jackpotz!! - rtjac, on 10/12/2007, -0/+18I once dated a woman who left me for her 11 year old friend. I wanted to call the police, then I realized she just meant she had known him for 11 years.
- DougPenn, on 10/12/2007, -1/+15Management probably TOLD him to code it using that method. My manager frequently makes coding decisions when he doesn't he know the fundamentals of the language we're using on a project. He just spews keywords he hears more technical people say, and hopes for the best...
- merreborn, on 10/12/2007, -0/+13thedailywtf rocks. I read it daily. Sometimes, tragically, I actually learn something.
Today was one of those days. As mentioned in the comments of TFA, GET requests should ALWAYS be non-destructive!
I actually added a link to this story in our company coding standards, as well as the HTTP RFC :p - inactive, on 10/12/2007, -1/+14Yeah, I suppose I'm just a *****. Digg that.
- dmron, on 10/12/2007, -1/+14LOL, love the title of this story. But jeez, whoever coded that site should be shot. It essentially says the authentication system requires both cookies and javascript to be enabled - if they're both disabled, it lets you right in. HA
- inactive, on 10/12/2007, -1/+13Sorry, forgot something:
/joke - ozroy, on 10/12/2007, -4/+16What a doofus. He's learn't his lesson now though, in the future he will use JS to generate the 'Delete this page' link so the google bot can't find it.
/joke - Shinglor, on 10/12/2007, -0/+11If you want to speed up the process a little you could post the link on Digg :P. Be sure to mention the password thing again before but not suspiciously close to the attack.
- panique, on 10/12/2007, -1/+12Isn't this article 3 days early? This HAS to be a joke.
When I was designing the authentication/authorization system for my web apps, it just seemed obvious to me that I needed to check it using the browser with cookies turned off. It also was completely obvious that any credentials needed to be based upon the presence of a cookie, not the absence of one....I'm calling BS. - screensnot, on 10/12/2007, -0/+10Everybody but Brian knew you were joking.
- JRMillion, on 10/12/2007, -0/+10A company I do some freelance work for has their phpMyAdmin totally unprotected. With all their intranet and staging data...
I told them to password it... did they listen? nope.
I'm just waiting for some bot (or person) to find it from some usage log or something and trash the whole thing... - Leonaken, on 10/12/2007, -4/+14The guy who wrote the article says "Whoops" quite after almost every paragraph. Whoops.
- Zippo, on 10/12/2007, -0/+9Score one for the uber Googlebot of DOOM.
- lava, on 10/12/2007, -0/+7"It also doesn't pay attention to Javascript, which would normally prompt and redirect users who are not logged on."
OMFG. I want to know what this company is so I can avoid them like a plague. Why the hell would you do authentication client side? - mindtrap, on 10/12/2007, -0/+7Oh yeah. Obviously the programmer isn't as good as he should be. That's one expensive lesson.
- inactive, on 10/12/2007, -0/+6I think it's best to spare ourselves the from even trying to understand whatever code that such a world-class programmer described in the article can come up with. It would be like a programmer's equivalent of goatse.
- phpirate, on 10/12/2007, -3/+9Google rocks at everything. Even teaching poor developers a lesson. If they had that kind of a problem, who knows what other vunerabilities are in there.
- inactive, on 10/12/2007, -2/+8All I can say: what the crap. Even my 11 year old friend can do better.
- tempusrob, on 10/12/2007, -1/+7Far, far from a joke.
Sad as it may be, the stuff on TheDailyWtf.com is quite real. - olegk, on 10/12/2007, -1/+7"As it turns out, Google's spider doesn't use cookies, which means that it can easily bypass a check for the "isLoggedOn" cookie to be "false". "
lol :) and they blame googlebot... idiots - webdevil, on 10/12/2007, -1/+7@chapter80
I've always held a strong belief that there are just some people who shouldn't be allowed to use the Internet. You are one of them. - thewebguy, on 10/12/2007, -4/+9uh, i call *****.
think about it, if there is no cookie, then $_COOKIE['isLoggedIn'] will return null, therefor not breaking a statement that would look like this:
if ($_COOKIE['isLoggedIn'] != true) {
header("Location: login.php");
}
or your favorite language's equivelant. i honestly don't see it being a possibility that the system would be so bad that it would not use a better check, and that it would leave the redirect up to javascript. - inactive, on 10/12/2007, -4/+9managment are bigger ***** wits then the person who coded this. it's only a matter of time now, someone copy paste again and it'll happen all over again. they don't have the brains to fix the problem.
- Web_Weasel, on 10/12/2007, -0/+5Genius may have its limitations, but stupidity is not thus handicapped. --Elbert Hubbard
- Shinglor, on 10/12/2007, -0/+5A web that has been refined through the ages by web crawlers all over the world, one that has become so incredibly secure it requires at least some kind of authentication.
- tizz66, on 10/12/2007, -0/+4Hold on, it says the Josh guy worked for a *company* that did this. You mean a *company* gets paid to write code like that?
Wow, I'm in the wrong job... - irate, on 10/12/2007, -0/+4Googlebot: hacking day by day
- kewldude606, on 10/12/2007, -0/+4No, because true and false were probably stored as strings. Because cookies are strings, not booleans.
- panique, on 10/12/2007, -1/+5lol we can only hope...
- kewldude606, on 10/12/2007, -0/+4No, because cookies are stored as strings. So true and false were probably stored as "true" and "false".
null != "false"
edit: I just posted and my comment didn't show up, so then I posted again...wtf? - inactive, on 10/12/2007, -0/+4um.....im a senior in highschool now and i know better than to do things like:
1) not keeping any backups whatsoever
2) authorizing by cookies - (i leave it to the PHP session manager for the cookie authentication)
and plus, if i had to make a modifiable page like that, i would use IP restrictions simply by typing: if($_SERVER['REMOTE_ADDR'] != "0.0.0.0"){die ("no access");}
i'm sure the dude learned not to use that authentication method again - linuxrebel, on 10/12/2007, -0/+4Don't tell me.... let me guess.... Tuttle Oklahoma right?
- Qwertie, on 10/12/2007, -0/+4Interestingly, Ruby on Rails' built-in scaffold presents the list screen in exactly this problematic way: the delete command is an ordinary "a href" link and the only thing stopping accidental deletion is a JavaScript confirmation that GoogleBot would ignore.
So Ruby on Rails developers that start with the scaffold and tweak it to fit their needs might suddenly find themselves with a lot less data in their database! (of course, you wouldn't normally leave out authentication except in prototype code...) - digdugdig, on 10/12/2007, -0/+3That's because he wanted to be nice about it.... :)
- Hyperion, on 10/12/2007, -2/+5@chapter80: Although, I don't agree with the whole "younger generation" part of your comic (I agree with dongiaconia), the last sentence was just hilarious. Thumbs up for you.
- CoconutBoy, on 10/12/2007, -0/+3No, see the article says "it can easily bypass a check for the "isLoggedOn" cookie to be "false"." which probably means that he's basically going "If it's not false then they can log on" as apposed to "If it's true they can log on" double negatives and whatnot.
- jforward, on 10/12/2007, -0/+3Truly spoken like someone who doesn't know the language very well. PHP is just as secure/insecure as you program it to be.
- SavannahLion, on 10/12/2007, -0/+3For those of you who are calling *****. Keep this in mind.
Some early versions of some Wiki platforms had an exposed "delete" link for images. Initially, some admins modified the code to hide these delete link, but once GoogleBot crawls your site, it'll return looking for those same links. As anyone with half a brain knows, the correct way to process this kind of request would be to verify user identification and privileges *server* side, not client.
The problem is that there are far too many people who *think* they can write the backend for a website, but don't actually understand what it is they write. I've spotted a lot of bad code on just about every one of those code repository sites for just about every language posted by people who have virtually no experience or no formal training on how to write good code.
If I ever catch my web-admin using client-side javascript to verify and authenticate users, he's going to be fired. - jforward, on 10/12/2007, -0/+3Well, it's been a while since I've done any major javascript (so this may not be the case), but I have run into instances in the past where any comparison to a variable holding "null" returns true, no matter what. Microsoft's SQL Server was one of those cases (they wanted you to write IS NOT NULL rather than != NULL), if I recall correctly.
- rspeed, on 10/12/2007, -0/+2This is beyond not knowing best practices for secure authentication on web sites. There is a staggering lack of common sense. I refuse to believe this is real.
And as many of us know, anyone saying "I refuse to believe" is in denial. - digdugdig, on 10/12/2007, -0/+2It's a crazy thing to do, but then, there are a lot of people who are able to upload phpmyadmin, but aren't capable of locking it down, even with something simple as a password. You can find *many* open phpmyadmins if you google for it.
- digdugdig, on 10/12/2007, -0/+2Lol! olegk and lavas comments pretty much sums it up.
- asmodeus, on 10/12/2007, -0/+2Qwertie - if that's true, do you know how it interacts with browser prefetching? Does the prefetch execute the JavaScript confirmation, bypass it, or just not fetch for it?
- madblunted, on 10/12/2007, -0/+2A friend of mine had this happen to his website. It had something to do with mysql.. dont know the techie stuff but it it was something to do with the default password in a database and google ended up deleting everthing.
- wolever, on 10/12/2007, -0/+2All the people who are surprised clearly haven't seen very much of The Daily WTF >_~
-
Show 51 - 92 of 92 discussions
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is