FedLoan || CHR(13) || CHR(10)
-
Dr. Wife got an email from FedLoan after changing her PIN. The message was only sent in plain-text, and its content (aside from changing her first name) was:
Dear Jane,|| CHR(13) || CHR(10) || CHR(13) || CHR(10) || You're receiving this email to confirm that your Account PIN has been successfully created|| CHR(13) || CHR(10) || with FedLoan Servicing.|| CHR(13) || CHR(10) || CHR(13) || CHR(10) || To keep your Account PIN safe, please:|| CHR(13) || CHR(10) || . Do not write down your Account PIN|| CHR(13) || CHR(10) || . Do not share your Account PIN with anyone else|| CHR(13) || CHR(10) || CHR(13) || CHR(10) || To electronically sign eligible documents with your Account|| CHR(13) || CHR(10) || PIN or to manage your Account PIN, sign into your account at myfedloan.org.|| CHR(13) || CHR(10) || CHR(13) || CHR(10) ||PLEASE DO NOT REPLY TO THIS EMAIL. If you require further assistance, please visit our|| CHR(13) || CHR(10) || website at myfedloan.org. From the homepage, you may click on the "Contact Us" link,|| CHR(13) || CHR(10) || which will provide you with useful information such as our Customer Service Department hours|| CHR(13) || CHR(10) || of operation and telephone number, and will allow you to submit inquiries via a secure e-mail.
Bonus: I got multiple CSRF and database errors setting up this account in order to post this. Yay, Discourse, I guess?
-
@crism said in FedLoan || CHR(13) || CHR(10):
Yay, Discourse, I guess?
Discourse bugs still affect us years after moving off Discourse? That sounds about right.
-
@ben_lubar, I forgot they’d replaced it. They kept most of the UI “features” of Discourse, though, so I spaced it out.
-
@crism said in FedLoan || CHR(13) || CHR(10):
@ben_lubar, I forgot they’d replaced it.
"They" being @ben_lubar.
-
You never know when you need to swap out the words on a real time basis, so you've gotta softcode as hardly as you've ever softcoded.
-
@sumireko said in FedLoan || CHR(13) || CHR(10):
You never know when you need to swap out the words on a real time basis, so you've gotta softcode as hardly as you've ever softcoded.
I'm pretty sure
|| CHR(13) || CHR(10) ||
is someone trying really poorly to write\r\n
-
@ben_lubar said in FedLoan || CHR(13) || CHR(10):
I'm pretty sure
|| CHR(13) || CHR(10) ||
is someone trying really poorly to write\r\n
It is, and the double pipe screams Oracle or MySQL to me, most likely the former. Looks like the message text is actually a query that was being passed to a database but isn't anymore or is escaped when perhaps it wasn't before? Didn't look that carefully but it's pretty funny.
-
@heterodox said in FedLoan || CHR(13) || CHR(10):
@ben_lubar said in FedLoan || CHR(13) || CHR(10):
I'm pretty sure
|| CHR(13) || CHR(10) ||
is someone trying really poorly to write\r\n
It is, and the double pipe screams Oracle or MySQL to me, most likely the former. Looks like the message text is actually a query that was being passed to a database but isn't anymore or is escaped when perhaps it wasn't before? Didn't look that carefully but it's pretty funny.
....
Can you pull some SQL injection bullshit by 'replying' to a different message body (i.e. edit the >-quoting manually)? Because that'd be hilarious.
-
@heterodox said in FedLoan || CHR(13) || CHR(10):
Looks like the message text is actually a query that was being passed to a database but isn't anymore or is escaped when perhaps it wasn't before? Didn't look that carefully but it's pretty funny.
My guess was that they've added a layer which strips out single quotes, for safety of course, perhaps in conjunction with parameterisation (because why protect against sqli in just one way when you can do it two ways at the same time?). So instead of 'text here' || chr(13) || chr(10) || 'more text' it's all getting chucked into a big string.
-
@heterodox said in FedLoan || CHR(13) || CHR(10):
the double pipe screams Oracle or MySQL to me
It's the SQL standard.
-