Well done, Iowa legislative website



  • I had the strange occasion to look here. No, no legal violations were involved. Anyway, see the Quick Search?

    OK, then. I didn't know whether the quick search would happen to function as a topic search, so I tried it, with "Lottery". The result?

    Great input validation. How about the standard stuff that ASP.NET catches by default? Let's try .



  • I tried the search and it is a lot worse than what I understood from your explanations.

    At least they took time to use the $ in the smb share so it would be hidden on the local network!


  • Discourse touched me in a no-no place

    @corgimonster said:

    Is it just me, or are there two search boxes on that page? Do they do the same thing or are they wholly independent?



  • Ok, it's a WTF, but to be fair:

    1) It's quick. So they got that going for them.

    2) It's a search for stuff in the Iowa Code, which presumably has a well-defined format-- if you plug in a code grabbed from another page of the site (like 489.1102), it brings it right up.

    So the real WTF is that it doesn't handle errors in any even slightly intelligent way.


  • Considered Harmful

    So, has anybody tried directory traversal?



  • @blakeyrat said:

    2) It's a search for stuff in the Iowa Code, which presumably has a well-defined format-- if you plug in a code grabbed from another page of the site (like 489.1102), it brings it right up.



    This. The Code is a set of physical books containing the current laws passed in the state of Iowa. What I find interesting is that rather than setting up a series of html pages with hyperlinks between each chapter/section, they appear to have them broken down into PDFs.

     



  • @joe.edwards said:

    So, has anybody tried directory traversal?


    They append a .PDF at the end of the filename, so it's not a trivial case of that attack, you'd need to get a bit creative here.


  • Considered Harmful

    @Husky said:

    @joe.edwards said:
    So, has anybody tried directory traversal?


    They append a .PDF at the end of the filename, so it's not a trivial case of that attack, you'd need to get a bit creative here.

    The Wiki article I linked to mentions:

    Using a hard-coded predefined file extension to suffix the path does not limit the scope of the attack to files of that file extension. <?php include($_GET['file'] . '.html'); The user can use %00 (return to line, \n) to bypass everything after the $_GET.



  • @joe.edwards said:

    @Husky said:
    @joe.edwards said:
    So, has anybody tried directory traversal?


    They append a .PDF at the end of the filename, so it's not a trivial case of that attack, you'd need to get a bit creative here.

    The Wiki article I linked to mentions:

    Using a hard-coded predefined file extension to suffix the path does not limit the scope of the attack to files of that file extension. <?php include($_GET['file'] . '.html'); The user can use %00 (return to line, \n) to bypass everything after the $_GET.

    That's true only if the %00 is unescaped. It's not a newline character btw, it's a NULL-byte, terminating the C-string ("\0"). But at least with magic_quotes_gpc on, it's escaped and in the string it becomes "\0", so it will still use the suffix.



  • @Evo said:

    ...But at least with magic_quotes_gpc on...
     

    Deprecated :) http://php.net/manual/en/security.magicquotes.php

     



  • @pbean said:

    @Evo said:

    ...But at least with magic_quotes_gpc on...
     

    Deprecated :) http://php.net/manual/en/security.magicquotes.php

     

    True, but still available, common, and commonly depended on.


  • Considered Harmful

    I know 00 is NUL. That was straight from the Wiki. I probably should have used a quote.



  • Everyone talking about $_GET, magic_quotes, and other PHP-related stuff... This is a .NET app, you guys.


  • Trolleybus Mechanic

    @toon said:

    Everyone talking about $_GET, magic_quotes, and other PHP-related stuff... This is a .NET app, you guys.
     

    [url="http://www.infoq.com/articles/Phalanger"]Don't assume[/url]


  • Discourse touched me in a no-no place

    So when are we going to see a release of PHP.NET? (“Everything you love about PHP with everything you love about .NET, now in one single simple package!”)


  • Considered Harmful

    @dkf said:

    So when are we going to see a release of PHP.NET? (“Everything you love about PHP with everything you love about .NET, now in one single simple package!”)



  • @Lorne Kates said:

    @toon said:

    Everyone talking about $_GET, magic_quotes, and other PHP-related stuff... This is a .NET app, you guys.
     

    Don't assume

    I had no idea! I haven't really looked at the article, so I might be missing something, but IIS 7 supports PHP reasonably well these days, right? Wondering what the point of converting to .NET bytecode is. Then again, maybe some people want to write .NET assemblies in PHP... Who knows how many front page articles lurk in that particular category of WTF.


Log in to reply