Let's open our MySql server to anyone!
-
Fresh off BitsDuJour: Telist. It's a little contact management program written with VB6. The program itself isn't very notable; it's just a contact management program. However, its purchasing system is rather ...interesting. Let's have a look. The order process starts on http://www.telist.net/order0.php. Looks typical. Select license type, enter country, and promo code if you have any. Next, select version, and enter quantity. Being a free promotion at BitsDuJour, I've entered the promo code. As a silly thing I like to do, I try to see what's the maximum number of items I can get for free. I've tested that out already, and it's fine. But what if we try with a regular purchase? Here's a screenshot of what it should look like normally.
OK, not too exciting. Let's up the amount!
Wait, did the price just turn to zero? Anyway, what if we go higher?
The price is now NAN. Now we're talking. Here's the order summary.
I didn't even bother to enter a name. But hey, it's done. No input validation whatsoever.
Now time for the program. Let's try to activate!
My firewall asks me to allow the program internet access. Internet activation? Screw that. But wait, what's this?
Does that say MySql? Wait, WTF? Are you telling me the program is connecting directly to a MySQL server to do activation? Since when was it safe to allow a client program DB server access? Especially being a program that anyone can download and screw around with? Let's try that again with internet, and watch what gets through.
Sure enough that's a SQL query alright.
Only one thought I have: WTFWTFWTFWTFWTFWTFWTFWTFWTFWTFWTFWTFWTFWTFWTFWTFWTFWTFWTFWTF. It's only time someone dumps the entire database and starts screwing with it. I've emailed the developer, and the only reply I got was "Thanks for your emails." Interesting to note company who made this does web design. Great job with their website. I'm certain they know how to make a great looking website that isn't susceptible to SQL injection attacks. (Heck, why try SQL injection when you can connect directly to the DB server?)
Edit: Interesting to note, the entire site doesn't even have SSL. Your information is super safe!
-
Awesome. Great WTF.
-
@GMMan said:
Being a free promotion at BitsDuJour, I've entered the promo code.
No need for promo code. Just enter a really large quantity and you can download the €39 ($48 US) "Pro" version along with a serial number.
Not that I would actually do that.
-
I tried entering the key for my free version (which I entered quantity 10000000000000000000000..... for), and it gives me an overflow error. So much for that.
-
I know, order -1000 copies. And some pizza.
-
-
@realmerlyn said:
I'm too lazy to write a href
No need for that! We already have the database credentials! Just drop the table straight out!
-
Interesting. Ordering 0 copies and inserting the license key seems to put the program in an infinite loop trying to validate. I imagine it's the same thing if you order -1000 copies (no, it does not give you money back).
-
Let's just hope they don't send you a bill for NaN Euros, and no matter how much you pay them, the balance never decreases...
-
@ekolis said:
Let's just hope they don't send you a bill for NaN Euros, and no matter how much you pay them, the balance never decreases...
It's also not equal to the amount they billed you for.
-
@Ben L. said:
@ekolis said:
Let's just hope they don't send you a bill for NaN Euros, and no matter how much you pay them, the balance never decreases...
It's also not equal to the amount they billed you for.Well, what do you expect him to DO, write a check for "NaN Euros"?
-
@ekolis said:
write a check for "NaN Euros
if isNan(euros)
{
// -- euros are NaN
}
else
{
// -- euros are not NaN
}My work is done.
Just to annoy Blakey:
(if isNan(euros)) ? processNaNEuros() : processNotNaNEuros() ;
-
The table names suggested they were Portuguese, so out of curiosity I checked and they are. For shame.
I was going to be a good samaritan and give them a heads-up, but then I realize they provide absolutely no contact information whatsoever. So meh.
-
@Cassidy said:
@ekolis said:
write a check for "NaN Euros
if isNan(euros)
{
// -- euros are NaN
}
else
{
// -- euros are not NaN
}My work is done.
Just to annoy Blakey:
(if isNan(euros)) ? processNaNEuros() : processNotNaNEuros() ;
if euros == euros { // a number } else { // not a number }
-
Here's what the developer said: "Yes, many plans for fixing everything." Ahh, vagueness at its best. I don't imagine he even has a clue how to begin fixing things.
-
I have many plans for taking over the world. But I'm not taking over the world.
Not until I can get this fucking neutron bomb working right.
-
@ekolis said:
@Ben L. said:
Sure. Why not?@ekolis said:
Let's just hope they don't send you a bill for NaN Euros, and no matter how much you pay them, the balance never decreases...
It's also not equal to the amount they billed you for.Well, what do you expect him to DO, write a check for "NaN Euros"?
-
Hey! That's in dollars! What do you expect the bank to do when they have to convert NaN dollars into NaN euros?
-
@GMMan said:
Hey! That's in dollars! What do you expect the bank to do when they have to convert NaN dollars into NaN euros?
NaN Dollars x 0.77
-
@El_Heffe said:
@GMMan said:
Hey! That's in dollars! What do you expect the bank to do when they have to convert NaN dollars into NaN euros?
NaN Dollars x 0.77So NaN dollars is equal to NaN euros? Eureka! You've broken the currency system! Now all I need to do is get NaN yen and convert them to British pounds, and I'll be set!
-
@ekolis said:
@El_Heffe said:
@GMMan said:
Hey! That's in dollars! What do you expect the bank to do when they have to convert NaN dollars into NaN euros?
NaN Dollars x 0.77So NaN dollars is equal to NaN euros? Eureka! You've broken the currency system! Now all I need to do is get NaN yen and convert them to British pounds, and I'll be set!
$NaN is not equal to €NaN, and neither is €NaN
-
@ekolis said:
So NaN dollars is equal to NaN euros? Eureka! You've broken the currency system! Now all I need to do is get NaN yen and convert them to British pounds, and I'll be set!
So, if you have that many yen that you can no longer count them, you want to convert them to pounds sterling so they're worth more? Why? Because of taxes?
-
@ekolis said:
So NaN dollars is equal to NaN euros? Eureka! You've broken the currency system!
.. and fixed Greece's economy in the process, so it's not all bad.
-
@GMMan said:
Sure enough that's a SQL query alright.
I'm not sure I see a problem. If it's connecting using a read only user, then the worst you can do is read some data from the database. I guess it's easily hackable and you can get a list of serial numbers.
If the user is truly read only, you can't do any damage to the database. So not a huge WTF, even though it should've been done using a web service.
-
@russ0519 said:
I'm not sure I see a problem. If it's connecting using a read only user, then the worst you can do is read some data from the database. I guess it's easily hackable and you can get a list of serial numbers.
If the user is truly read only, you can't do any damage to the database. So not a huge WTF, even though it should've been done using a web service.
Odds are the database doesn't just hold serial numbers. You could dump the whole database, and possibly others on the same server. Yes, they could lock down the access, but if they're doing something this dumb, do you think they did?
-
http://www.produlogia.com/contactos.php -> Here you go :)
-
@joe.edwards said:
@russ0519 said:
I'm not sure I see a problem. If it's connecting using a read only user, then the worst you can do is read some data from the database. I guess it's easily hackable and you can get a list of serial numbers.
If the user is truly read only, you can't do any damage to the database. So not a huge WTF, even though it should've been done using a web service.
Odds are the database doesn't just hold serial numbers. You could dump the whole database, and possibly others on the same server. Yes, they could lock down the access, but if they're doing something this dumb, do you think they did?
With the plethora of MySQL admin tools available, it's not that hard to assign permissions to a user. Building a web service, especially for someone who may not be a web developer, is a lot harder. Most non web developers probably don't realize that you can sniff web traffic.
-
@russ0519 said:
@joe.edwards said:
@russ0519 said:
I'm not sure I see a problem. If it's connecting using a read only user, then the worst you can do is read some data from the database. I guess it's easily hackable and you can get a list of serial numbers.
If the user is truly read only, you can't do any damage to the database. So not a huge WTF, even though it should've been done using a web service.
Odds are the database doesn't just hold serial numbers. You could dump the whole database, and possibly others on the same server. Yes, they could lock down the access, but if they're doing something this dumb, do you think they did?
With the plethora of MySQL admin tools available, it's not that hard to assign permissions to a user. Building a web service, especially for someone who may not be a web developer, is a lot harder. Most non web developers probably don't realize that you can sniff web traffic.
The developer who made this has a web design/hosting/advertising/whatever company. I think they're expected to be able to build web services.
-
Interesting. All Produlogia and Telist domains have disappeared. Can't seem to connect to its last known IP address either. Maybe this guy's running a VPS, or heaven forbid, a home server. Maybe that's part of his many plans for fixing everything. So much for anyone who tries to use the program, since it's operated on a per-user license and uses the server to verify each session.
-
@russ0519 said:
Most non web developers probably don't realize that you can sniff web traffic.
It wouldn't surprise me to find out that most web developers are similarly knowledgeable.
-
Would you even want to download their software for free given how they handle the purchases?
-
The site's back now. And the maximum quantity is now 999. But the price is consistently 0. So, I don't know, free licenses?
-
In this case, The Real WTF™ actually is Visual Basic. I mean, come on, VB6? In 2013?
-
I was just going to post this. Sure, MySQL wasn't really designed for this, but it's still possible to use it as a public server if the permissions are properly set.
It's still a WTF in this case, if you only have to get/send a couple of things, but I guess in some complex applications it might make more sense. Heck, Facebook even has a "Facebook Query Language" which is basically SQL.
-
@spamcourt said:
I was just going to post this. Sure, MySQL wasn't really designed for this, but it's still possible to use it as a public server if the permissions are properly set.
I usually have permissions properly set anyway, public or private server. Force of habit.
-
@El_Heffe said:
A couple of days ago I found myself wondering if you could "deface" someone's paycheck by changing only the payee, so it read Pay to the Order of David Henderson dressed as Shirley Temple complete with curly blonde hair.
In the days before automatic deposit, would that require David to show up at the bank in the appropriate costume to cash or deposit the check?
-
@da Doctah said:
A couple of days ago I found myself wondering if you could "deface" someone's paycheck by changing only the payee, so it read Pay to the Order of David Henderson dressed as Shirley Temple complete with curly blonde hair.
You could, but that doesn't mean that the other party would accept such a non-standard contract offer anything like as willingly as a normal check. Since the only reason for using a check in the first place is to give someone some of your money, there's no point in putting anything silly in it.In the days before automatic deposit, would that require David to show up at the bank in the appropriate costume to cash or deposit the check?
There have been documented cases of checks being written on non-standard objects though, and those at least used to be valid. My favorite example was when someone wrote the check on a toilet, but that's probably just me being a bit childish.
-
@da Doctah said:
@El_Heffe said:
A couple of days ago I found myself wondering if you could "deface" someone's paycheck by changing only the payee, so it read Pay to the Order of David Henderson dressed as Shirley Temple complete with curly blonde hair.
In the days before automatic deposit, would that require David to show up at the bank in the appropriate costume to cash or deposit the check?
Or, even better:
Pay to the order of: David Henderson or Snidely Whiplash
This is why I always draw a horizontal line after the payee, in addition to after the amount!
