GetScrambledPassword() and other fun stuff
-
Found on the login page of one of our internal systems. Presented without much comment:
// Scrambles passwords using simple cipher algorithm function getScrambledPassword(pwd) { var cipher = ['k', 's', 'z', 'h', 'x', 'b', 'p', 'j', 'v', 'c', 'g', 'f', 'q', 'n', 't', 'm']; var result=""; if (pwd == null) pwd = ""; pwd = encodeURIComponent(pwd); //alert("encoded password: " + pwd); for(var i=0;i<pwd.length;i++) { var cc = pwd.charCodeAt(i); result += cipher[Math.floor(cc/16)] + cipher[cc%16]; } //alert("scrambled password: " + result); return result; }
/* * This function detects users key presses and sumbits the form * if the return key is hit. */ function doSubmit(evt) { var keycode; // extract key code from event if (navigator.appName.indexOf("Netscape") != -1) keycode = evt.which; else if (navigator.appName.indexOf("Microsoft") != -1) keycode = window.event.keyCode; // detect the "Return" key if (keycode == 13) { doLogin(); if (navigator.appName.indexOf("Microsoft") != -1) // stop System Default Beep Sound. window.event.keyCode = 0; } }
var noDstTzs = [ { tz:"ACT", offset:34200000 }, { tz:"Africa/Abidjan", offset:0 }, //snip... { tz:"Pacific/Norfolk", offset:41400000 } ]; var dstTzs = [ { tz:"AET", offset:36000000, start:1224950400, end:1206806400 }, { tz:"AGT", offset:-10800000, start:0, end:0 }, //snip... { tz:"WET", offset:0, start:1206838800, end:1224982800 }, { tz:"Australia/Perth", offset:28800000, start:1224957600, end:1238263200} ]; var USTzs = [ { tz:"AST", offset:-32400000 }, { tz:"America/Adak", offset:-36000000 }, //snip... { tz:"Canada/Yukon", offset:-28800000 }, { tz:"SystemV/AST4ADT", offset:-14400000 } ]; function getTimezone() { var i, d1, d2, d3, d4, off1, off2, off3, off4; // first check for timezone with no daylight savings d1 = new Date(2004, 0, 1, 0, 0, 0, 0); off1 = d1.getTimezoneOffset() * 60000; d2 = new Date(2004, 3, 1, 0, 0, 0, 0); off2 = d2.getTimezoneOffset() * 60000; d3 = new Date(2004, 6, 1, 0, 0, 0, 0); off3 = d3.getTimezoneOffset() * 60000; d4 = new Date(2004, 9, 1, 0, 0, 0, 0); off4 = d4.getTimezoneOffset() * 60000; if (off1 == off2 && off2 == off3 && off3==off4 && off4==off1) { for (i=0; i<noDstTzs.length; i++) { if (noDstTzs[i].offset == -off1) return noDstTzs[i].tz; } } // now check for timezone with daylight savings for (i=0; i<dstTzs.length; i++) { if (dstTzs[i].start==-1||dstTzs[i].end==-1) continue; d1=new Date((dstTzs[i].start-1)*1000); //1 second before DST start d2=new Date((dstTzs[i].start+1)*1000); //1 second after DST start d3=new Date((dstTzs[i].end-1)*1000); //1 second before DST end d4=new Date((dstTzs[i].end+1)*1000); //1 second after DST end off1 = d1.getTimezoneOffset() * 60000; off2 = d2.getTimezoneOffset() * 60000 off3 = d3.getTimezoneOffset() * 60000 off4 = d4.getTimezoneOffset() * 60000 if ((off1!=off2) && (off3!=off4) && (-off4 == dstTzs[i].offset)) return dstTzs[i].tz; } // Nothing matches to windows bug relating to the changes in 2007 US DST rules. for (i=0; i<USTzs.length; i++) { d1=new Date(2007,12,1,1,0,0,0); off1 = d1.getTimezoneOffset() * 60000; if (-off1 == USTzs[i].offset) return USTzs[i].tz; } return "use_server"; }
-
Ew, that's bad. Are you allowed to fix it? How old is it?
-
Yeah! Why roll your own encryption algorithm instead of using standard ROT32? It could have some vulnerabilities.
-
Are you allowed to fix it?
It's not even ours, it seems. Not giving out the names, but a Google of the first function's signature will tell you something.
How old is it?
Copyright 2009, but apparently running in quirks mode.
-
Oh god, I just realized ...
That encryption thing has tons of potential collisions when using non-alphabetic characters.
-
alert()
debugging in 2009?Not sure if someone is stuck in the past or stuck using IE only... and even then I'm pretty sure IE's dev tools can do better!
-
Not giving out the names, but a Google of the first function's signature will tell you something.
Remedy ...
-
It's basically hex-encoding the characters. Or rather, the LSB of them. (or rather, it just plain won't work if the charcode if >256, going beyond the
cipher
array)So if you go beyond 256, yeah, that's rather bad.
alert() debugging in 2009?
In a full-fledged release for customers. To be fair, it also does alert() notifications...
-
So if you go beyond 256, yeah, that's rather bad.
Note to self: Always use at least one exotic unicode thingie - preferably an emoji - in each password.
Just to detect such idiocy.
-
Not giving out the names, but a Google of the first function's signature will tell you something.
82% of the Fortune 500 rely on $COMPANY for innovative and industrialized IT solutions.
Emphasis mine. Found on their About page.
-
Why not name and shame?
-
-