If you are Ulises Cortes, don't worry



  • This is what I call personalized software:


    http://upc.grouphub.com/amnesia/forgot_password



  • If you are Ulises Cortes, we can send your username to the email address we have on file.

    Unless of course we get FILE_NOT_FOUND



  •  "The user name for Ulises Cortes has been emailed to <whatever>". Sorry couldn't resist.

    I figure he'll be getting a lot of emails in the next few days



  • @DOA said:

     "The user name for Ulises Cortes has been emailed to <whatever>". Sorry couldn't resist.

    I figure he'll be getting a lot of emails in the next few days

    Unfortunately, the developers weren't stupid enough to use GET vars which makes it just enough trouble to script that I won't bother...



  • @ounos said:

    This is what I call personalized software:


    http://upc.grouphub.com/amnesia/forgot_password

    TRWTF is that you've never heard of outsourced software services before?  Hint: There are a lot of other grouphub.com domains.

     



  • @DOA said:

     "The user name for Ulises Cortes has been emailed to <whatever>". Sorry couldn't resist.

    I figure he'll be getting a lot of emails in the next few days

    Does he look worried?

    Maybe he should be worried

    Heh.  If he knows how to check his referer logs, now he'll be able to figure out why he's getting all these emails...



  • Ulises Cortes, I deem you memeworthy.

     

    cleans Diet Coke off of monitor



  • @DOA said:

     "The user name for Ulises Cortes has been emailed to <whatever>". Sorry couldn't resist.

    I figure he'll be getting a lot of emails in the next few days

     

     

    Oops, i clicked it again...



  • @North Bus said:

    Ulises Cortes, I deem you memeworthy.

    You mean like LOL-ises Cortes ?

    LOLises Cortes

     



  •  In our software, people who forget their passwords have a box asking them to go to the IT helpdesk. I've always wondered what happens if whoever's manning the IT helpdesk consequently forgets their password since that'll be the person who's got to go to himself to reset his password, but he can't login because he forgot his password, so he has to go to himself... ad infinitum



  • @DaveK said:

    Hint: There are a lot of other grouphub.com domains.

    Forgive if this is profoundly ignorant (not my area, etc etc), but aren't these people at the various grouphub.com domains going to be receiving lots of emails anyway as various search engine spiders/bots skim over this lot?



  • @Zagyg said:

    @DaveK said:
    Hint: There are a lot of other grouphub.com domains.

    Forgive if this is profoundly ignorant (not my area, etc etc), but aren't these people at the various grouphub.com domains going to be receiving lots of emails anyway as various search engine spiders/bots skim over this lot?

    As Morbs pointed out, it requires an HTTP POST request for the form.  Spiders and bots tend to use GET requests.  (related WTFs: 1 2).

    Also, the spider or bot would have to parse and interpret javascript before it could work, because the admin password link has an onClick handler that needs to be run to send the POST to a specialised URI for the account holder by dynamically rewriting the <form action=... > parameter.  They aren't that smart.

     



  • My favorite part is how they went about implementing the POST. (Formatted for clarity)

    <a href="#"
    onclick="
        var f = document.createElement('form');
        f.style.display = 'none';
        this.parentNode.appendChild(f);
        f.method = 'POST';
        f.action = '/amnesia/send_account_holder_user_name';
        f.submit();
        return false;
    ">send your username</a>
    

    Apparently they didn't want to create a function to do this, so they wrote out the entire code to fake a POST from a link's onclick attribute.

    @morbiuswilters said:

    Unfortunately, the developers weren't stupid enough to use GET vars which makes it just enough trouble to script that I won't bother...

    #!/bin/bash
    while true;do
    echo 'Requesting user name'
    curl -d '' 'http://upc.grouphub.com/amnesia/send_account_holder_user_name' > /dev/null 2>&1
    sleep 5
    done
    


  • @tchize said:

    @DOA said:

     "The user name for Ulises Cortes has been emailed to <whatever>". Sorry couldn't resist.

    I figure he'll be getting a lot of emails in the next few days

     

    Oops, i clicked it again...

    This is still far less awesome than the time we found the open printer consoles.



  • @MiffTheFox said:

    @morbiuswilters said:

    Unfortunately, the developers weren't stupid enough to use GET vars which makes it just enough trouble to script that I won't bother...

    #!/bin/bash
    while true;do
    echo 'Requesting user name'
    curl -d '' 'http://upc.grouphub.com/amnesia/send_account_holder_user_name' > /dev/null 2>&1
    sleep 5
    done
    

    I assumed that wouldn't work because it's not posting any of the form data, nor is it using multipart/form-data encoding type.  Of course, it's pretty easy to add that in but my point was I was too lazy to bother.



  • @morbiuswilters said:

    [quote user="MiffTheFox"][quote user="morbiuswilters"]

    Unfortunately, the developers weren't stupid enough to use GET vars which makes it just enough trouble to script that I won't bother...

    #!/bin/bash
    while true;do
    echo 'Requesting user name'
    curl -d '' 'http://upc.grouphub.com/amnesia/send_account_holder_user_name' > /dev/null 2>&1
    sleep 5
    done
    

    [/quote]

    I assumed that wouldn't work because it's not posting any of the form data, nor is it using multipart/form-data encoding type.  Of course, it's pretty easy to add that in but my point was I was too lazy to bother.

    [/quote]

    Except that there's no form data being sent, I'm assuming they're not checking the content-type header either.



  • @MiffTheFox said:

    @morbiuswilters said:

    @MiffTheFox said:

    @morbiuswilters said:

    Unfortunately, the developers weren't stupid enough to use GET vars which makes it just enough trouble to script that I won't bother...

    #!/bin/bash
    while true;do
    echo 'Requesting user name'
    curl -d '' 'http://upc.grouphub.com/amnesia/send_account_holder_user_name' > /dev/null 2>&1
    sleep 5
    done
    

    I assumed that wouldn't work because it's not posting any of the form data, nor is it using multipart/form-data encoding type.  Of course, it's pretty easy to add that in but my point was I was too lazy to bother.

    Except that there's no form data being sent, I'm assuming they're not checking the content-type header either.

    By God, you're right!  I just saw the input fields and assumed they were populated and submitted with the form.



  • @MeesterTurner said:

     In our software, people who forget their passwords have a box asking them to go to the IT helpdesk. I've always wondered what happens if whoever's manning the IT helpdesk consequently forgets their password since that'll be the person who's got to go to himself to reset his password, but he can't login because he forgot his password, so he has to go to himself... ad infinitum

    Nope.  Sorry to bring reality into this, but what happens when the helpdesk staffer forgets his password is, he asks his coworker to reset his password for him, and she ridicules him about it for days.

    Now, if *all* of the helpdesk staffers currently working forget their passwords, they call up the server admin, and he resets one of their passwords, and the designated helpdesk staffer resets the rest.  (I've only been around once for this; it was 11pm, there were only two people on staff at the helpdesk, and I can't remember why I was still there, but they tried my office phone and got me.)

    If the server admin has also forgotten his password, and so have his coworkers, then the database that stores the passwords gets a short outage while it's re-educated on certain matters.  Exactly how short this outage is, and whether the rest of the users will also need a password change, depends upon the technology in question and the competency of the staff in question (the latter being in serious doubt, because they're supposed to know these things.  Only time I've seen something like this happen, it was a development machine, and its passwords were all changed by the one admin who was using it.  Right before COB, on a Wednesday before Thanksgiving.  WTF.)


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.