Really simple authentication



  • While trying to download one of our clients enviromental license (which by the way can be freelly dowloaded from the webiste of our EPA equivalent) i landed at this page:

    http://www.bomdia.pt/ambiente/acesso_ambiente.htm

    I dunno why but I tought it was weird to find a login page on the website and decided to check its source code. Besides being done in frontpage, I found this piece of js that handles the "authentication":

    function access() {
    var access;
    var password;
    password=this.document.access.inputbox.value;
    if (password!="")
       {
       access=password + ".htm";
       location.href=access;
       }
    }
    


  • At least it is the most secure authentication that javascript can offer.



  • I was disappointed when I read from the top down and got to the if (password != "") condition, as I was hoping to see something to the effect of if (access == "someUserName"), but got a chuckle as soon as I hit the access=password + ".htm" part. Not that it matters, but do they at least put noindex nofollow meta tags on those ... erm, "secured" pages?

    The really funny part is that if you enter anything into the "password" field (especially something that couldn't possibly exist, well maybe), the resulting page appears to be a catch-all stating that you are unauthorized, and if you want access to e-mail them for it.

    Eh, at least they disabled directory listings.



  • I recall being guilty of something similar, though it was very long ago and I can't find the source.

    IIRC I had an associative array of the destination url encrypted with the hashes of each user/password combination, indexed by a second hash. That way, we could give everyone different logins, and it could detect bad logins rather than just sending them to a 404.



  • I couldn't find anything on google, so they probably did use nofollow and noindex.

    Also it seems like this was not a quick fix or something like that, since I found the same piece of code on two other pages.

    The worst part about this is that, first the link to get to this login page is on the front page, so this is information that they think is important and that should be easily available to their visitors. Second the information that the login page is protecting is not confidential or private, it's actually, like I mentioned before, public information freely available on our EPA website without needing to use a password or pay for anything. You just have to search for the company name and download the file.



  •  There was an article about a website just like this. Originally the code went something like

     

    if (password=="thePass")
    {
       access="thePage.htm";
       location.href=access;
    }
    else
    {
         alert("Bad password.")
    }
     
    before switching to the WTF you gave to prevent "hacking"

     

     
     


  • @BaRRaKID said:

    function access()
    {
      var access;
      var password;
      password=this.document.access.inputbox.value;
      if (password!="")
      {
        access=password + ".htm";
        location.href=access;
      }
    }

     

    i've seen almost identical code in a beginners JavaScript tutorial a read a long time ago back when i was a beginner. Name of the chapter was "JavaScript and security" which seemed strage itself, but immediately after seeing this "example" i stopped reading it.

    i propose it to be called L.A.M.E. (location address means of ensecurement) password pattern



  • @SEMI-HYBRID code said:

    i propose it to be called L.A.M.E. (location address means of ensecurement) password pattern
    I like it. But how about Security via Html Input Textbox?


Log in to reply