We're the UK market leader in 3 markets but you need IE to view us



  • I'm sure there are still quite a few IE only sites out there, but this one is a bunch of wtfs.



    www.creda.co.uk



    View in IE and it works.

    View in Firefox and it redirects to a "you need to use IE" page.

    View in Opera (9.21) and you get nothing at all, just a blank page.



    And it gets worse.



    Viewing the source in Opera and you have this:

    META name=Description "Creda - UK market leader in domestic drying, heating and cooking appliances"

    Right, so you can afford a decent web designer then?



    It scans for "Netscape" and "MSIE". If you have one of them you're in (also, commented out are checks for Windows 95, 98 or NT... how old must that be?!)

    If it doesn't find either string, you get nothing but some source code but no content.



    If you do view the site in IE, have a look at their products page. Notice the image that looks like it's either been stretched, saved enough times to visibily artifact it, or both.

    For extra kicks click the "built in cooking" link and get not just one new window, but two. One to tell you about their range and a second to tell you how great they are.





    As the kicker, they have Google Web Analytics, so they know how many !IE people are visiting. What a way to lose custom.





    In unrelated views, what's with this stupid forum software, I have to manually type html line breaks. Oooh, could I xss?



  • I just looked at it in Firefox, and the page I'm redirected to is named "nodhtml.htm". So this means that only IE supports DHTML? At least, Firefox supports AJAX... :P



  • You can go directly to http://www.creda.co.uk/macro/header.d2w/HomeStart in Firefox, which works fine. Notice that the "Welcome to Creda" at the top left corner is missing.

    There's not much use of dhtml actually, and jumping to the "Product range" part opens a new window (or tab) which tries to open a popup. I didn't go any further, I didn't care.

    I can't believe they actually paid for this. 



  • @bairy said:

    As the kicker, they have Google Web Analytics, so they know how many !IE people are visiting. What a way to lose custom.

    The "nodhtml.htm" page also calls the urchinTracker, so they also know how many people are being redirected because they suck.

     

     Also, what's up with http://pagead2.googlesyndication.com/pagead/show_ads.js being a GIF file?



  • Right-click, Edit Site Preferences, Network, Identify as IE, reload. Works fine in Opera 9.21... why am I not surprised?

    If you click on Brochure there's an option to download Adobe Acrobat Reader 3.02 - which should demonstrate how aged the site is. :-)



  • I live in the UK and I've never heard of Creda, so it doesn't look like they're the market leader anymore. 
    This is the code for the home page: 

    <!-- <FRAMESET rows="93,6*,100,*" BORDER="0" frameborder=0 framespacing=0 border=0 scrolling="no" marginwidth=0 marginheight=0> -->
    <FRAMESET rows="93,*,100" BORDER="0" frameborder=0 framespacing=0 border=0 scrolling="no" marginwidth=0 marginheight=0>
    <FRAME NAME=header SRC="NavSection?ToLoad=Home" frameborder="no" scrolling="no" marginwidth=0 marginheight=0>
    <FRAME NAME=content SRC="/macro/home.d2w/report" frameborder="no" marginwidth=0 marginheight=0>
       <FRAME NAME=footer SRC="Footer" frameborder="no" scrolling="no" marginwidth=0 marginheight=0>
    <!-- <FRAME NAME=filler src="Filler" frameborder="no" scrolling="no" marginwidth=0 marginheight=0> -->
    </FRAMESET>

    Looks like someone forgot how to use the Backspace key... 
    Oh, and need I mention that using frames like that is a huge WTF? 



  • For a laugh google "creda" and check out the very first entry.



  • @DOA said:

    For a laugh google "creda" and check out the very first entry.
    That's what happens when you deny access to the googlebots - they index your browser error page.

    Oh, and occasionally you see "Your browser does not support frames" as a google result... lol 

    Visit http://www.creda.co.uk/home.htm in firefox, then you will realize what crap programmers they use.



  • @Mal1024 said:

    I live in the UK and I've never heard of Creda, so it doesn't look like they're the market leader anymore. 

    I've heard of them - they were the market leader twenty years ago - but I'd say that they're living in the past. They're pretty irrelevant these days. 



  • That site is one big pee-hole. I bet their 'outlet store' website has the same WTFery.


    But, let's just see the good side of things and find some entertainment, more specifically, the SQL injection holes and ways to make the website wet itself.



  • Didn't work with Safari either.  I only tried it with the Windows version, but I'd bet that it wouldn't work on a Mac either.  I guess they're telling any non-Windows users to shove it.



  • @bairy said:

    In unrelated views, what's with this stupid forum software, I have to manually type html line breaks. Oooh, could I xss?


    Apparently you can fake posts:

    But for some reason I haven't figured, some of the alignment breaks ("Fake Post" in the title should be right-aligned and the user section should be top-aligned)

    <!--​-> </div> </div> </td></tr> </tbody></table> </td> </tr> <tr valign="bottom"> <td class="ForumPostFooterArea"> </td> </tr> </tbody></table> </div> </li> <li> <div class="ForumPostArea"> <h4 class="ForumPostHeader"> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tbody><tr valign="middle"> <td align="left"><img src="/Themes/default/images/icon_post_show.gif" style="border-width: 0px;" border="0"> Never</td> <td class="ForumPostHeaderControlArea" align="right"> <a title="Link to this post" href="">Fake Post</a> </td> </tr> </tbody></table> </h4> <table style="table-layout: auto;" border="0" cellpadding="0" cellspacing="0" width="100%"> <tbody><tr valign="top"> <td rowspan="2" class="ForumPostUserArea"> <div class="ForumPostUserContent"> <ul class="ForumPostUserPropertyList"> <li class="ForumPostUserName"> <img src="/Themes/default/images/user_IsOffline.gif" alt="Fake User is not online. Last active: Never" style="border-width: 0px;"> <a href="">Fake User</a> </li> <li class="ForumPostUserAvatar CommonPrintHidden"> <img src="/utility/anonymous.gif" border="1"> </li> <li class="ForumPostUserIcons CommonPrintHidden"> <img title="Not Ranked" alt="Not Ranked" src="/Themes/default/images/rankicons/rank0.gif"> </li> <li class="ForumPostUserAttribute"> Joined Never </li> <li class="ForumPostUserAttribute"> UK </li> <li class="ForumPostUserAttribute"> <a href="">Posts 0</a> </li> </ul> </div> </td> <td class="ForumPostContentArea"> <div class="ForumPostTitleArea"> <h4 class="ForumPostTitle"> Fake Post </h4> </div> <table style="table-layout: fixed;" border="0" cellpadding="0" cellspacing="0" height="100%" width="100%"> <tbody><tr><td> <div class="ForumPostBodyArea"> <div class="ForumPostContentText"> <p>Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post</p> <p>Fake Post Fake Post Fake Post Fake Post Fake Post</p> <p>Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post</p> <p>Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post</p> <p>Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post Fake Post</p> <!--​>


  • @shadowman said:

    Didn't work with Safari either.  I only tried it with the Windows version, but I'd bet that it wouldn't work on a Mac either.  I guess they're telling any non-Windows users to shove it.


    I just tried it on my mac, it works in safari.  Well, it loads the page, or at least some subset of elements of the page.


  • @Zecc said:

     Also, what's up with http://pagead2.googlesyndication.com/pagead/show_ads.js being a GIF file?


    Server-side javascript generating a GIF image?



  • Well just for a nice little laugh, I tried the site with IE 6.0 but it didn't work. So I would just point and laugh at them "Ha Ha" :-)



  • @Thief^ said:

    Apparently you can fake posts...

    Awesome man! That's pretty bad. I've given this topic a full five stars for that.

    Do Alex, Jake or Derrick actually read the sidebar WTFs? Do they realise the full extent to which this forum software can be abused? I would hope that people here are too smart to fall for any abuse, but I am really not so sure. But other Community Server sites could end up in a mess :)

    The weirdest thing is that if I type "HTML" into the Tags box, it autocompletes it with "HTML entities", which is a tag not listed in the tag selector...



  • @Daniel Beardsmore said:

    Do Alex, Jake or Derrick actually read the sidebar WTFs? Do they realise the full extent to which this forum software can be abused? I would hope that people here are too smart to fall for any abuse, but I am really not so sure. But other Community Server sites could end up in a mess :)

    Other people run this crap? If they exist, they're pretty much screwed by default, regardless of this particularly silly bug.

    Still, I can't really see how this site could be abused. There wasn't actually anybody who took anything they read here seriously, was there? (If there was, they deserve what they get, that's about on the level of believing what you see on Fox news)

     



  • Meh, there seem to be limits as to what CSS and HTML is accepted. <script> tags are just removed, and position: absolute is deleted from a style property. So far, I can't find anything malicious I can inject into the page although I can repeat Thief^'s example of a fake post. But I've only just got up. Whether there is a way to do something bad, I don't know.



  • My ISPs support forum runs it. I thought it was quite nice until I started using it.



  • @Daniel Beardsmore said:

    Do Alex, Jake or Derrick actually read the sidebar WTFs? Do they realise the full extent to which this forum software can be abused? I would hope that people here are too smart to fall for any abuse, but I am really not so sure. But other Community Server sites could end up in a mess :)

    They defiantly know about it. I believe it's largely why they switched the front page articles over to their own custom system.

    Having said that the current version of the forum software has nothing on the old version. If you replied using the wrong browser all the hidden formating would get converted to html entities somewhere along the line. Threads often had several posts full of html. There where also other issues with the editor that would result in the same problem.
    Another I remember was the pizza pie smile that appeared in the smilies list but was impossible to use. A few articles got hijacked by people trying to get it to work.

     

     



  • D'oh. Sounds like I arrived late and missed all the fun.


Log in to reply