PDA

View Full Version : How not to do security

francis
15th Feb 2004, 08:59 pm
Heh - have a look at the IHT members' login facility (http://www.iht.org/IHT.org/memberslounge/ajlogin33Folder/login.asp). Try typing anthing you want into the username and password boxed and then enter. At the time of writing, anything at all will work. Having a look at the first line of the members' page may give you a clue as to why. The trouble is, that until the developer finds this out him/herself members aren't going to be any the wiser as they'll just assume their name/password is letting them in.
David
15th Feb 2004, 09:22 pm
If you look at the code, you can see why the login system does not work. First of all, the two <input> boxes don't actually do anything. They're not part of a <form> and so, there is no "action" or "method" attributes. Secondly, the "ENTER HERE" link is just that. You will be taken to the member area whether you type anything or not because simply clicking on the link will take you to the member area.

Whoever created this code must have known that it doesn't work - weird.


<p><span class="text">Username:<br>
<input style="background-color: #FFFFFF; FONT-SIZE: 8pt; COLOR: #000000; FONT-FAMILY: Verdana" type="text" size="40" name="UserName" maxlength="255">
<br>
Password:<br>
<input style="background-color: #FFFFFF; FONT-SIZE: 8pt; COLOR: #000000; FONT-FAMILY: Verdana" type="password" size="40" name="Password" maxlength="255">
<br>
</span> </p>
<p>Username = Membership Number</p>
<p>Password = Surname with uppercase first letter</p>
<p>eg. </p>
<p>Username: 000012345</p>
<p>Password: Dunstall</p>
<p></p>
<p><a href="../index.html">ENTER HERE</a>
francis
15th Feb 2004, 10:02 pm
I hadn't noticed the code on the first page. How strange - makes you wonder what's going on.
David
15th Feb 2004, 11:40 pm
How did you stumble over this? Do you think we have a duty to point out this security flaw to the site owners?
francis
16th Feb 2004, 07:36 am
Someone posted it on the evolt mailing list, so it's probably been seen be a few thousand people by now :unsure:
David
16th Feb 2004, 08:53 am
It would be interesting to monitor the situation and see how long it takes them to sort it out. Perhaps we should offer our services - who knows, there may be some money in it.