Article 6EGCF CodeSOD: The Administrator Hack

CodeSOD: The Administrator Hack

by
Remy Porter
from The Daily WTF on (#6EGCF)

A decade ago, Adam was doing support on a classic ASP application. This was an internal application which tracked sales accounts, employee reviews, and general HR information. Now, the company had a real HR system, but some of their internal processes predated the HR system, thus they had a custom application that did things the HR system already did, but they already owned the application and didn't want to retrain people.

One day, a manager logged in, started doing some work, took a break, and came back, only to discover that when she pulled up a list of employees, she no longer saw her direct reports, but instead saw all of the employees at the company. She reported the bug and Adam picked up the ticket.

Adam's first suspicion was that her session timed out, and then there must be something wrong in how the session got initialized.

If Session("User_Type") <> "USER" Then ' list all names in the systemElse ' list only the names this user has access toEnd If

Yes, when the session expired, the visitor was given access to the entire system. That was the default logic. While a simple If Session("User_Type" == "ADMIN") might have fixed the immediate bug, one has to wonder: why didn't an expired session trigger a log out?

Because there wasn't any authentication. There was a "logon screen", which was a <frame> based page that requested credentials, and did confirm them. And once it did, it used some client-side JavaScript to update the <frame> to load this application. But if you knew the URL of the application, you could just put that in your browser and use it with no credentials.

Oh, and while this was an internal application, it wasn't an intranet application- it was exposed to the web for anyone who knew the URL.

buildmaster-icon.png [Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!
External Content
Source RSS or Atom Feed
Feed Location http://syndication.thedailywtf.com/TheDailyWtf
Feed Title The Daily WTF
Feed Link http://thedailywtf.com/
Reply 0 comments