<address id="vnbjp"><del id="vnbjp"></del></address>
    <progress id="vnbjp"></progress>
    <cite id="vnbjp"></cite>
    <progress id="vnbjp"><i id="vnbjp"><address id="vnbjp"></address></i></progress>
    <cite id="vnbjp"></cite>
    <var id="vnbjp"><del id="vnbjp"><noframes id="vnbjp">
    <cite id="vnbjp"><video id="vnbjp"></video></cite>
    <cite id="vnbjp"></cite>

    Obscure code hell and a security hole for a bus

    It would be nice to be able to say "only joking" about this code; however this code was live, on the internet. Spot the bus sized security hole.

    The code sample is color coded because I needed to demonstrate to some non-techies what a mess things were, and showing them the language mish-mash like this worked well. Sorry if you only have a narrow screen; I didn't fancy trying to word-wrap it ...

    Answer to the security hole below:

    Key:
    JSP Server-side scripting language
    HTML Client display layout
    Java Server-side programming language
    JavaScript Client scripting language
    SQL Database programming language
    CSS Client display style

    Code:

    ...
    <script>
    function saveSnippet(controlname) {
    var myvalue = document.all[controlname].value;
    mysql = "update mgruat.conf_component set <%=locale%>='"+cleanvalue(myvalue)+"' where id="+(controlname.substring(5));
    processQueue(mysql);
    document.all[controlname].style.backgroundColor="#ffffff";
    }
    </script>
    ...
    <%for (int i = 0; i < queryResult.length; i++) { %>
    ...
    <TD width="10"><INPUT style="width:300px;" onfocus="spansave<%=queryResult[i][0]%>.style.visibility='visible';this.style.background='#ffffcc'" value="<%=codedResult%>" type="Text" name="value<%=queryResult[i][0]%>"></TD>
    <TD><span id="spansave<%=queryResult[i][0]%>" style="visibility:hidden;"><NOBR><a href='javascript:;' onclick='spansave<%=queryResult[i][0]%>.style.visibility="hidden";saveSnippet("value<%=queryResult[i][0]%>")'><img src="/contenteditor/icons/save.gif" width="18" height="18" alt="" border="0" align="absmiddle"/> save</a></NOBR></span></TD>
    ...
    <%} %>
    ...
    ...

    It's not there any more ;-P.

    Digging the project out of this hole is what inspired me to write DWR.

    Curious to the security hole? Answer in white on a white background below, select the text to view:

    The SQL is embedded in Javascript and not Java, so the functions that it is passed to send the Javascript back to the server for execution. So altering the SQL to 'DROP DATABASE' is rather easy.

    Comments

    Rob Re: Obscure code hell and a security hole for a bus

    At my previous job we JSP's like that were a regular thing. Its amazing how those kind of things were just developed because its "always been done that way".
    75秒极速时时彩官网
      <address id="vnbjp"><del id="vnbjp"></del></address>
      <progress id="vnbjp"></progress>
      <cite id="vnbjp"></cite>
      <progress id="vnbjp"><i id="vnbjp"><address id="vnbjp"></address></i></progress>
      <cite id="vnbjp"></cite>
      <var id="vnbjp"><del id="vnbjp"><noframes id="vnbjp">
      <cite id="vnbjp"><video id="vnbjp"></video></cite>
      <cite id="vnbjp"></cite>
        <address id="vnbjp"><del id="vnbjp"></del></address>
        <progress id="vnbjp"></progress>
        <cite id="vnbjp"></cite>
        <progress id="vnbjp"><i id="vnbjp"><address id="vnbjp"></address></i></progress>
        <cite id="vnbjp"></cite>
        <var id="vnbjp"><del id="vnbjp"><noframes id="vnbjp">
        <cite id="vnbjp"><video id="vnbjp"></video></cite>
        <cite id="vnbjp"></cite>

        Tom Hawtin Why?!

        What do you suppose goes through the mind of the programmer that so blatantly gives the client SQL? The only reason I can think of they don't give a toss, just so long as they can pass it off with the least personal effort. That attitude probably goes for the vast majority of programmers.

        Joe Walker Re: Obscure code hell and a security hole for a bus

        The strange thing is, I've met the programmer in question and he is a *very* smart bloke, and I'm fairly sure he knew exactly what he was doing.
        So here's an interesting perspective; I don't totally agree with it but it is worth noting:
        The programmer was under pressure to get a job done as quickly as possible, and (with the benefit of hindsight) correctly judged that noone would find the security hole. So he took a gamble (albeit a potentially costly one) and it paid off.

        Comments have been turned off on old posts