An interesting analysis. Thanks.
cforcode
@cforcode
Best posts made by cforcode
Latest posts made by cforcode
-
RE: SAP Community Network Web Server WTF
First, this isn't Apache or any other web application server you know. This is a SAP enterprise product (they eat their own dog food and choke on it sometimes).
Second, if this problem was due to sanitation, they would have discovered it during testing, right? So either they don't test (=> WTF) or their QA allows this to happen (=> WTF). This is both very unlikely.
Third, setting an HTTP response code 501 as the result of an input sanitation is like, well, blowing up the house if somebody presses the door bell button for an empty apartment. It is very unlikely that this behaviour is by design.
So, the only logical consequence is that this error occurs right in the bowels of their web server as the result of a convoluted maze of twisted code paths through a dozen crappy abstraction layers piled onto each other in a rickety rube-goldbergian way. I have seen this code, and I know what I'm talking about.
-
RE: SAP Community Network Web Server WTF
@TarquinWJ: This has nothing to do with sanitizing input. This bug occurs on an entirely unrelated level, and that's the WTF.
-
RE: SAP Community Network Web Server WTF
@TarquinWJ said:
Simple enough. They are trying to do some sort of server-side sanitising (removing harmful markup that could be a XSS attempt). When they detect what looks like an attempt to generate a JS event handler attribute, it tries to remove it. The removal function is relying on some method that is not implemented in that specific server-side environment, so it throws an error.
Gee. Let me clarify. The web server crashes with error 501, "Method GET not implemented".
And do you really think a search term like "onmouseover=" is "harmful markup" and not being able to search for it prevents XSS attacks :-) YMMD :-)
-
SAP Community Network Web Server WTF
If you have had the pleasure of working with SAP products, you will know that they all have a fair share of WTFs deep down below. Most of the errors can be explained by negligence, inexperience, malice, or maybe sheer stupidity. This bug I stumbled upon in their forum software, though, keeps dumbfounding me as for the life of me I can't figure out which major design snafu is going on right down there. OK, maybe not for the life of me, but it shows that there's something wrong on more levels I even know or care about.
Their URL is: http://www.sdn.sap.com/irj/scn
This is the bug description:
Whenever you submit the name of a common client side JavaScript event handler followed by an equals sign in the search text field (or pretty much any text field, for that matter), the server crashes with the error message "Method not implemented".
For example, try "onselect=". An "onselect" will not trigger the error, but "onselect<any_number_of_blanks>=" does. Or "onclick=", for instance. Or "onmouseover=". But not "onfubar=".
Now I browse this site with JavaScript off, so I'm sure it has nothing to do with my client. You can also call the search URL directly: http://www.sdn.sap.com/irj/scn/advancedsearch?query=onselect+%3D
This will also trigger the error.
WTF is going on there, SAP. Where in the mysterious maze of that Java-powered ABAP crapfest is the server actually choking on a simple string that happens to be a JavaScript event handler name. WTF, SAP. WTF.
I think these two acronyms will be forever linked in my brain. And for those of you who always crave for TRWTF, here is it: I told them about this bug two years ago.
WTF, SAP. WTF.
-
RE: Symantec Enterprise Support: Troubleshooting by Screenshot
No, that's actually /p instead of /g.
-
RE: Symantec Enterprise Support: Troubleshooting by Screenshot
@PJH, one WTF begets another. There is no end.
For those who can't see the MSDN article, it says:
1. Open a cmd window (that's a shell, take this, Unix freaks!)
2. Run the program
3. Examine the output
-
RE: Symantec Enterprise Support: Troubleshooting by Screenshot
Really?
Compare this: http://support.microsoft.com/kb/894351/en-us
-
Symantec Enterprise Support: Troubleshooting by Screenshot
OK, now that Alex has finally approved my forum account (thanks!) I get to post this cute little WTF gem:
Pro tip: If you can't decypher the screenshot, print it out and send it to Symantec by snail mail for thorough inspection.