Website security...




  • I'm a contractor for my state government. Mostly, I just maintain websites (gosh, I would LOVE a job where I could actually use what I learned in my CS studies). Anyway, one such website is a directory of various agencies throughout the state, listing importaint employees, phone numbers, addresses, etc..., written in ASP.NET. This website also provides an interface for authorized people to login & make changes (add, edit, delete agencies & employees, etc...). Mostly, it's just extra buttons that appear beside each entry if a user is logged in.

    Anyway, here's the bit of code that controls whether the "edit" or "delete" buttons are displayed for each employee:

    HtmlControl objDiv = (HtmlControl)e.Item.FindControl("divEdit");
    if (CanUpdate)
    objDiv.Attributes["class"] = "showdiv";
    else
    objDiv.Attributes["class"] = "hidediv";

    CanUpdate is set to true when a user has logged in as is in the correct role. divEdit is simply a div tag. objDiv.Attributes["class'] sets the CSS class of that div tag. And what code is fired for any button inside that div tag?

    protected void Repeater2_ItemCommand(object source, RepeaterCommandEventArgs e)
    {
    string emplID = e.CommandArgument.ToString();
    DelEmpl(emplID); //Unconditionally deletes an employee from the directory
    GetData(); //updates the page
    }

    That's right. The ItemCommand event is fired for any button clicked inside the Repeater control that does a postBack (only the delete button does a postback for now) and access to this button is controlled solely through CSS! I just emailed the person who wrote this code and I'm still waiting for her response. I can't wait to hear what her justification is... lol!

    P.S. - I've had to put a BR html tag in between every line of code in this post, and I can't figure out how to indent it. Is there an easier way to post code snippets?



  • Posting a security breach of a site your maintaining before it is fixed: the Real WTF?

    Answering your question: you can wrap your code with a [ code] tag.



  • @Huf Lungdung said:

    HtmlControl objDiv = (HtmlControl)e.Item.FindControl("divEdit");
    if (CanUpdate)
    objDiv.Attributes["class"] = "showdiv";
    else
    objDiv.Attributes["class"] = "hidediv";

    Looks like this was implemented by the same guy who brought us the admin=True URL...



  •  @Zecc said:

    Posting a security breach of a site your maintaining before it is fixed: the Real WTF?

    Answering your question: you can wrap your code with a [ code] tag.

    Yeh, you're probably right. (Woah, this site works very differently in FireFox. In IE I just get a plain textbox and have to type in the HTML manually. In FF I have a cool wysiwyg-ish editor. Wish I'd known that writing the OP). I did fix the vulnerability before going home today. I don't think I gave out enough info for you to figure which website it was though, but it's better to be safe than sorry.

    At least the coworker seemed to understand why this was bad... even though I did have to take a minute to explain it.



  • @Huf Lungdung said:

    (Woah, this site works very differently in FireFox. In IE I just get a plain textbox and have to type in the HTML manually. In FF I have a cool wysiwyg-ish editor. Wish I'd known that writing the OP).

    That's odd, IE usually has a better RTF engine than Firefox does, except for all the garbage CSS it generates.  You may have something disabled or have really restricted security preferences if IE isn't giving you the RTF editor.  I'm assuming you're not using an ancient version of IE or using it on a non-Windows machine, of course.  Office also tends to screw with the HTML rendering dlls used by IE (although I think this stopped with IE7) so it is possible that an Office install or uninstall somehow borked that up.  It's probably not a big deal to you, but it would affect any site that uses TinyMCE (and most likely any other WYSIWYG editor).


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.