Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
arantr22128y@pstuart2 Of course, if the file is named secret.js and starts with a comment warning not to edit or read that file
-
This has to be fake. If true = true return false block gives it away as a lame attempt to show bad code.
At least that's my assessment of this. I could wrong, and this could actually be someone's real code, and exposed on the internet somewhere. :P -
ChappIO46978y@fyroc wait that's what caught your eye? Not the fact that some api accepts sql queries?
-
I saw that and typed internet, thinking, if the code is that bad... anything is possible, code could float up to the internet someday.
-
@yo-adrian He did say intranet so not exposed (if it is a large company it is still problematic as hell though).
I would not be surprised if it was real, i've seen much worse. (Non technical companies buying custom software from the lowest bidder and getting pretty much what they pay for isn't all that uncommon) -
Ok....
I hope the original dev was found behind the shed, with a bullet holes in both hands, and the head. -
@ItsNotMyFault yeah, see my explanation. I probably should have thrown that in my first response.
-
could have been written by my former "lead dev". i think i don't have to tell you the reason he's no more.
-
@srivmanu he just felt like wasting an if. If it's true, it won't leave continue past the for, so he's just being silly with the base case
-
@ronakkaria @ronakkaria Well obviously the passwords are stored in clear text, so you basically have every pw of every user ;)
Maybe you can't hack the DB, but even then it is a huuuuuuge fail. -
arantr22128y@ronakkaria Because of the <script> tags I assume that this JS code is run on the client side (in the browser). So anyone can go and edit the code and use the exposed API to run *any* SQL queries like `drop table users;` and similar. And apiService seems to be global, so console is enough.
And the fact that you have access to every password in the system is a problem not only for this system but also because most users tend to reuse the passwords in multiple services... so... -
Dude....
My ministry of DEFENSE is running Joomla 1.5.
😐😐😐😐😐
And no I won't say which country :D -
fyroc58758y@ChappIO I mean I didn't want to assume that this was Frontend. Could've been an electron or Cordova app
-
@fyroc but even then... Just extract the app package and there you go. Happens...
-
daniello2738y@yo-adrian i guees you are right. "true" == "true" (its a String!!!!)... Thats to lame.
Even if its in Intranet... -
The most beautiful part is that he retrieve the whole user table... with what we can assume, password in clear!!
-
@arantr @qbasic16 ohh.. didn't even notice this was client side :P. Brain fart. Saw sql and apiService and, just imagined this as node. (Fail)
#dehydrated
Now with a clearer head I see that call to get the accounts is treated as synchronous. There's no callbacks! Wut. So this cannot even work. This is a joke right? -
@qbasic16 noticed the passwords thing before. Didn't see the sql injection. Lol. I need sleep
-
The passwords are stored in plain text??
The stupidity of "professionals" never ceases to amaze me -
Two wrongs a right do not make.
But two trues make a false...
...according to that javascript which looks fake. -
yzhea21958y@srivmanu me too. then it would return false? that would showthe error message right? or not? haha. I think my logic is failing XD
-
strider6858yYou gonna have to give credit to the man, he wants to put the js-code into a different file, for better security i guess 😅
-
There is no need for a sql injection just modify the js to be true always and Tada no authentication!!
-
adinortey148yHaha true === true of course. This is the worst implementation on login I've ever seen. Doesn't someone know about server side code?
-
I'm surprised by first todo, then I'm confused by SQL API call? I totally doubt my life when true true thing comes...
-
grosten14508yIt's getting harder to breathe. My face is turning blue. There's only fear in my eyes.
-
maalur3148yI think this was made by someone who just started coding. Otherwise this was made by a pm who thought that devs are a waste of cash.
-
antons7858yWTF this can't be real... This would also suggest that the passwords are not encrypted?!
-
If there is somebody getting paid to do that, I can get it too, even without any professional experience! Better than that I certainly do.
-
mfalade1667yAnd to think that the best improvement the author could think of was abstract this garbage to a different file.. lmfao 😂
I am at a loss for words. This JavaScript powers the login of a company's intranet
undefined