Winova Van Norman is some sort of hardware or construction company. Their "About Us" reads "Since 1888, the company has designed and manufactured machining equipment and continues to innovate new solutions. A full range of equipment includes machinery for motorcycles, small engines, automobile, diesel, marine and high performance engine rebuilding."
Okay, so at least they don't pretend to be an "Internet Security Consulting" firm. But they did go through the trouble of putting up some attempt at a secure login page; you have to be a registered user in order to see their online brochures for some reason.
Looking at the source of their homepage, there's not anything that immediately jumps out in terms of security flaws. Until you see the JavaScript function that's called when you submit the login form. It calls a function called Login(); If you want to see what this function does, you have to open the lone JavaScript include, located at /work.js. Here, you'll see the awesomeness that is the Login() function.
function Login(){
var done=0;
var username=document.login.username.value;
username=username.toLowerCase();
var password=document.login.password.value;
password=password.toLowerCase();
It starts out with a couple wtfs to begin with: your username and password must be in lowercase. Okay, fine. But that's when things get AWESOME. After that, there are dozens of lines like this:
if (username=="someusername" && password=="wtf") { window.location="brochures.html"; done=1; }
Over and over, the username and passwords are listed right there in plaintext. But then you realize very quickly that this is completely useless, since you can just change the URL in the browser to /brochures.html, and you're there without any authentication check.
Now, I understand that there isn't really a huge need for security on this site to begin with, but that doesn't change the fact that there are dozens and dozens of username and password combinations just hanging out there. Hopefully the people that have registered created unique combinations for this site. Who knows?But yes, there's the big Saturday WTF.