Polish Security? (Repost)
-
This was originally posted by Quadesh as a reply to an article in the main forum; I thought it would get more traffic as its own thread:
Hi there!
It's my first day as a member on the Daily WTF :).
I've something to share with You all, but since I don't have enough permissions to start a new thread I'll post it here.
Visit http://www.kppd.pl/Dokumenty_KPPD/haslo.htm.
It's not in English but when You will have a look on the source code of the page, You will definitely find it amusing. :) WTF?!
I could only congratulate to author of this page for His Advanced Security Skills. :)
Bye.
-
Wow. Just .... wow.
I hate one-word replies, but ... this ... defies everything.
At what point does something like this seem like a good idea?
<off to pound my head against my desk>
-
So many things wrong with this site.
Now the question, is this page auto-generated based on a SQL table of usernames and passwords? Or is there a link somewhere on this site that translates to:
"If you would like to change your password, just email it to me and I'll open my HTML editor and fix it."
-
Wow. All I can say is ... WTF?!
-
I like how the page you get redirected to after logging in doesn't even care about the passwords. And of course someone has the password "1234".
-
OFMG.. the complete idiocy of it is simply mind-boggling..
I wonder if those pairs are useful for anything else..
-
Just beautiful! Thanks for sharing.
-
My, that's so foolish... at first I was copy-pasting a username/password from the source when I realized that I could just as well copy-paste the damm url.
It's not entirely horrible, though, I don't understand the language at all but clicking around eventually asks me for a "Document Open Password" (I persume this is actually the pdf file reader itself), and it isn't just a random password from the starting page. Then again, interesting how all the user's passwords are revealed and on top of that the short titles may well disclose some unwanted information.
-
Hey, it could be worse...
...
...
...
...
...oh wait, no it couldn't.
-
404...
Anyone care to describe it?
-
[quote user="Aron"]404... Anyone care to describe it? [/quote]
Darn, they must have noticed our fun ;-p
I'll paraphrase: imagine in the page source (not even in a linked js file):
<SCRIPT>function Login() {
var username = txtInput.value, password = txtPassword.value;
if(username == 'fred' && password == 'yabadabadoo') {
window.navigate('somepageurl.htm'); success = true;
} else if (.... <snip about 20 users>) {
}
if(!success) alert('Incorrect password');
}</SCRIPT>
***
On the plus side, if they wanted to this would allow them to display messages like "the password was correct, but the username Frod was wrong; did you mean Fred?".
-
Google has a copy: http://tinyurl.com/ybmkyy
In the case it would forget it:
<SCRIPT LANGUAGE="JavaScript">
<!-- Begin
function Login(){
var done=0;
var username=document.login.username.value;
username=username.toLowerCase();
var password=document.login.password.value;
password=password.toLowerCase();
if (username=="rchmara" && password=="administrator") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="postrowski" && password=="szymon") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="egaluba" && password=="ela-1") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="ksienkiewicz" && password=="czaplinek") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="inowaczyk" && password=="pryzma") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="mszumowicz" && password=="1960") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="bmyslinski" && password=="bomy") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="klewandowski" && password=="kalisz4991") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="ikozlowska" && password=="ksiegowa") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="wkozakiewicz" && password=="uranos") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="mbieganska" && password=="maria") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="jkolodziejczak" && password=="jacek") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="bkowalska" && password=="beko") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="msiuda" && password=="kachu") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="apruska" && password=="aniap") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="rlubczyk" && password=="19710930") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="tszarpatowski" && password=="1234") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="kradomski" && password=="malgosia") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="tchrzanowska" && password=="teresa") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="rpodhajski" && password=="romuald1") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="apiwowarczyk" && password=="anetap") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="zwiewiora" && password=="hajec") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="eklimowicz" && password=="ewa") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="agruse" && password=="delta55") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="efedorowiat" && password=="tom") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="lpawlik" && password=="1705") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="akusmierski" && password=="ak1956") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="borczykowska" && password=="17111") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="mbamburak" && password=="m39") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="jbykowski" && password=="bykowski") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="eczerkawska" && password=="czela") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="bczerwinska" && password=="rudolf") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="zwnuk" && password=="69800") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="mjarmolinski" && password=="marucha") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="azielska" && password=="mania") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="ekonczak" && password=="radca") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="srodziewicz" && password=="rodzyn") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="dkotowska" && password=="bars1610") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="ismolinska" && password=="aneri") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="gmania" && password=="manix1965") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="mnosal" && password=="marion") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="hpokutycka" && password=="borsuk") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="rjasionas" && password=="reja") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="jwysocki" && password=="wiktoria") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="wpozoga" && password=="101010") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="estepniewska" && password=="zofia") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="wmojsiewicz" && password=="lipiec0708") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (username=="lgraczkowski" && password=="blackwood") { window.location="http://www.kppd.pl/Dokumenty_KPPD/dokumenty.html"; done=1; }
if (done==0) { alert("Niewłaściwe hasło lub nazwa użytkownika!"); }
}
// End -->
</SCRIPT>
-
OMG...
40% of the passwords here are dictionary prone. Not only the script is written in the most stupid of all imaginable ways, the passwords are even more stupid... nearly all of them are dictionary prone. There are birth dates, the accountant's password is "accountant" (!), and some poeple are using their own names as passwords (!!!)... But doing a dict attack on this site would be the greatest WTF of all time :-D
I'm from Poland too, and one of our national mottos is "Polak potrafi" ("the Pole can do it right"). :-D
-
That is beyond amazing...
