GetScrambledPassword() and other fun stuff



  • Found on the login page of one of our internal systems. Presented without much comment:

    // Scrambles passwords using simple cipher algorithm
    function getScrambledPassword(pwd) {
        var cipher = ['k', 's', 'z', 'h', 'x', 'b', 'p', 'j', 'v', 'c', 'g', 'f', 'q', 'n', 't', 'm'];
        var result="";
        if (pwd == null)
            pwd = "";
        pwd = encodeURIComponent(pwd);
        //alert("encoded password: " + pwd);
        for(var i=0;i<pwd.length;i++) {
                var cc = pwd.charCodeAt(i);
            result += cipher[Math.floor(cc/16)] + cipher[cc%16];
        }
        //alert("scrambled password: " + result);
        return result;
    }
    
    
    
    /*
     * This function detects users key presses and sumbits the form
     * if the return key is hit.
     */
    function doSubmit(evt) {
        var keycode;
    
        // extract key code from event
        if (navigator.appName.indexOf("Netscape") != -1)
            keycode = evt.which;
        else if (navigator.appName.indexOf("Microsoft") != -1)
            keycode = window.event.keyCode;
    
        // detect the "Return" key
        if (keycode == 13) {
            doLogin();
    
            if (navigator.appName.indexOf("Microsoft") != -1)
                // stop System Default Beep Sound.
                window.event.keyCode = 0;
        }
    }
    
    
    var noDstTzs = [
    { tz:"ACT", offset:34200000 },
    { tz:"Africa/Abidjan", offset:0 },
    //snip...
    { tz:"Pacific/Norfolk", offset:41400000 }
    ];
    
    var dstTzs = [
    { tz:"AET", offset:36000000, start:1224950400, end:1206806400 },
    { tz:"AGT", offset:-10800000, start:0, end:0 },
    //snip...
    { tz:"WET", offset:0, start:1206838800, end:1224982800 },
    { tz:"Australia/Perth", offset:28800000, start:1224957600, end:1238263200}
    ];
    
    var USTzs = [
    { tz:"AST", offset:-32400000 },
    { tz:"America/Adak", offset:-36000000 },
    //snip...
    { tz:"Canada/Yukon", offset:-28800000 },
    { tz:"SystemV/AST4ADT", offset:-14400000 }
    ];
    
    function getTimezone() {
        var i, d1, d2, d3, d4, off1, off2, off3, off4;
    
        // first check for timezone with no daylight savings
        d1 = new Date(2004, 0, 1, 0, 0, 0, 0);
        off1 = d1.getTimezoneOffset() * 60000;
        d2 = new Date(2004, 3, 1, 0, 0, 0, 0);
        off2 = d2.getTimezoneOffset() * 60000;
        d3 = new Date(2004, 6, 1, 0, 0, 0, 0);
        off3 = d3.getTimezoneOffset() * 60000;
        d4 = new Date(2004, 9, 1, 0, 0, 0, 0);
        off4 = d4.getTimezoneOffset() * 60000;
    
        if (off1 == off2 && off2 == off3 && off3==off4 && off4==off1) {
            for (i=0; i<noDstTzs.length; i++) {
                if (noDstTzs[i].offset == -off1)
                    return noDstTzs[i].tz;
            }
        }
    
        // now check for timezone with daylight savings
        for (i=0; i<dstTzs.length; i++) {
            if (dstTzs[i].start==-1||dstTzs[i].end==-1)
                continue;
            d1=new Date((dstTzs[i].start-1)*1000); //1 second before DST start
            d2=new Date((dstTzs[i].start+1)*1000); //1 second after DST start
            d3=new Date((dstTzs[i].end-1)*1000); //1 second before DST end
            d4=new Date((dstTzs[i].end+1)*1000); //1 second after DST end
            off1 = d1.getTimezoneOffset() * 60000;
            off2 = d2.getTimezoneOffset() * 60000
            off3 = d3.getTimezoneOffset() * 60000
            off4 = d4.getTimezoneOffset() * 60000
            if ((off1!=off2) && (off3!=off4) && (-off4 == dstTzs[i].offset))
                return dstTzs[i].tz;
        }
        // Nothing matches to windows bug relating to the changes in 2007 US DST rules.
        for (i=0; i<USTzs.length; i++) {
            d1=new Date(2007,12,1,1,0,0,0);
            off1 = d1.getTimezoneOffset() * 60000;
            if (-off1 == USTzs[i].offset)
                return USTzs[i].tz;
        }
        return "use_server";
    }
    
    


  • Ew, that's bad. Are you allowed to fix it? How old is it?



  • Yeah! Why roll your own encryption algorithm instead of using standard ROT32? It could have some vulnerabilities.



  • @swayde said:

    Are you allowed to fix it?

    It's not even ours, it seems. Not giving out the names, but a Google of the first function's signature will tell you something.

    @swayde said:

    How old is it?

    Copyright 2009, but apparently running in quirks mode.



  • Oh god, I just realized ...
    That encryption thing has tons of potential collisions when using non-alphabetic characters.


  • BINNED

    alert() debugging in 2009?

    Not sure if someone is stuck in the past or stuck using IE only... and even then I'm pretty sure IE's dev tools can do better!


  • Discourse touched me in a no-no place

    @Maciejasjmj said:

    Not giving out the names, but a Google of the first function's signature will tell you something.

    Remedy 😆 ... :facepalm:



  • It's basically hex-encoding the characters. Or rather, the LSB of them. (or rather, it just plain won't work if the charcode if >256, going beyond the cipher array)

    So if you go beyond 256, yeah, that's rather bad.

    @Onyx said:

    alert() debugging in 2009?

    In a full-fledged release for customers. To be fair, it also does alert() notifications...



  • @Maciejasjmj said:

    So if you go beyond 256, yeah, that's rather bad.

    Note to self: Always use at least one exotic unicode thingie - preferably an emoji - in each password.
    Just to detect such idiocy.


  • Discourse touched me in a no-no place

    @Maciejasjmj said:

    Not giving out the names, but a Google of the first function's signature will tell you something.

    82% of the Fortune 500 rely on $COMPANY for innovative and industrialized IT solutions.

    Emphasis mine. Found on their About page.



  • Why not name and shame?


  • Discourse touched me in a no-no place

    @swayde said:

    Why not name and shame?

    Sorry - thought it was a treasure hunt.... 🐠



  • @PJH said:

    treasure hunt..

    Shit, so I ruined it for everyone else? 😿


Log in to reply