Obscure code hell and a security hole for a bus

It would be nice to be able to say "only joking" about this code; however this code was live, on the internet. Spot the bus sized security hole.

The code sample is color coded because I needed to demonstrate to some non-techies what a mess things were, and showing them the language mish-mash like this worked well. Sorry if you only have a narrow screen; I didn't fancy trying to word-wrap it ...

Answer to the security hole below:

Key:
JSP Server-side scripting language
HTML Client display layout
Java Server-side programming language
JavaScript Client scripting language
SQL Database programming language
CSS Client display style

Code:

...
<script>
function saveSnippet(controlname) {
var myvalue = document.all[controlname].value;
mysql = "update mgruat.conf_component set <%=locale%>='"+cleanvalue(myvalue)+"' where id="+(controlname.substring(5));
processQueue(mysql);
document.all[controlname].style.backgroundColor="#ffffff";
}
</script>
...
<%for (int i = 0; i < queryResult.length; i++) { %>
...
<TD width="10"><INPUT style="width:300px;" onfocus="spansave<%=queryResult[i][0]%>.style.visibility='visible';this.style.background='#ffffcc'" value="<%=codedResult%>" type="Text" name="value<%=queryResult[i][0]%>"></TD>
<TD><span id="spansave<%=queryResult[i][0]%>" style="visibility:hidden;"><NOBR><a href='javascript:;' onclick='spansave<%=queryResult[i][0]%>.style.visibility="hidden";saveSnippet("value<%=queryResult[i][0]%>")'><img src="/contenteditor/icons/save.gif" width="18" height="18" alt="" border="0" align="absmiddle"/> save</a></NOBR></span></TD>
...
<%} %>
...
...

It's not there any more ;-P.

Digging the project out of this hole is what inspired me to write DWR.

Curious to the security hole? Answer in white on a white background below, select the text to view:

The SQL is embedded in Javascript and not Java, so the functions that it is passed to send the Javascript back to the server for execution. So altering the SQL to 'DROP DATABASE' is rather easy.

Posted by Joe Walker

Comments

Rob Re: Obscure code hell and a security hole for a bus

At my previous job we JSP's like that were a regular thing. Its amazing how those kind of things were just developed because its "always been done that way".

Tom Hawtin Why?!

What do you suppose goes through the mind of the programmer that so blatantly gives the client SQL? The only reason I can think of they don't give a toss, just so long as they can pass it off with the least personal effort. That attitude probably goes for the vast majority of programmers.

Joe Walker Re: Obscure code hell and a security hole for a bus

The strange thing is, I've met the programmer in question and he is a *very* smart bloke, and I'm fairly sure he knew exactly what he was doing.
So here's an interesting perspective; I don't totally agree with it but it is worth noting:
The programmer was under pressure to get a job done as quickly as possible, and (with the benefit of hindsight) correctly judged that noone would find the security hole. So he took a gamble (albeit a potentially costly one) and it paid off.

Comments have been turned off on old posts