.
Scariest. Code. Ever. - Grin with cat attached — LiveJournal
Previous Entry Next Entry
Scariest. Code. Ever. Apr. 13th, 2006 07:29 am
http://syndicated.livejournal.com/daily_wtf/134861.html

I'll try and upload an annotated version of that guestbook script I used for testing shortly, as I won't need it for interviewing again for a while...

From: ciphergoth
Date: April 13th, 2006 - 07:03 am (Link)
I mostly don't find the Daily WTF as amusing as all that, but that's just incredible. The thing that's really scary is that they must have at least a moderate amount of programming skill in order to implement execPHP in the first place, and to be able to do it without knowing why it's an unbelievably bad idea...
From: faerierhona
Date: April 13th, 2006 - 08:34 am (Link)
As a non-code geek why is it scary?
From: syllopsium
Date: April 13th, 2006 - 08:50 am (Link)
It's a function that gives the web browser carte blanche to execute any SQL through the web server(!). Subject to the access permissions on the SQL server, the whole database can be read, modified, deleted etc (SELECT creditcardno FROM userdetails, anyone?)
From: wechsler
Date: April 13th, 2006 - 09:32 am (Link)
Any PHP, in fact.
From: syllopsium
Date: April 13th, 2006 - 11:48 am (Link)
ah yes, indeed.
From: ciphergoth
Date: April 13th, 2006 - 08:58 am (Link)
Most security holes rely on the attacker finding a cunning way to execute their code on your server. This code makes it clear that they've deliberately provided a mechanism to make it as easy as possible to do just that.

Metaphorically speaking, most security holes involve climbing up the side of the building and finding a tiny forgotten air duct you can crawl through. This is like, they've rolled out the red carpet and there's a butler waiting to take your coat as you waltz right in.
From: babysimon
Date: April 13th, 2006 - 09:32 am (Link)
I look at something like that and wonder if the poster is making it up. Surely no one could be that stupid.

Hey, ignorance is bliss, right?
From: envoy
Date: April 13th, 2006 - 10:11 am (Link)
It's an internal application that no-one else in the company knows about between two perfectly secure servers behind an impenertrable firewall, so they can do anything and it's safe right?
From: ciphergoth
Date: April 13th, 2006 - 12:59 pm (Link)
OTOH it might be fun to set something like that up on a honeypot and see what sort of code people inject...
From: babysimon
Date: April 13th, 2006 - 04:31 pm (Link)
You'd have to make sure people knew about it.

My personal theory is that people often get away with truly horrifying security holes in bespoke software that's only deployed in one place, simply because the black hat crowd don't bother looking for this sort of thing (except against high profile targets). Better to look for yet another vulnerability in some crappy web server or some crappy PHP app - then you have lots of targets and can write a worm.

This is borne out by a CMS I saw someone build for a minor high street chain's web site. The admin tool was at a guessable location, and there were no passwords (seriously!). Never saw it get hacked, probably because it was a one-off.