Obscure code hell and a security hole for a bus
It would be nice to be able to say "only joking" about this code; however this code was live, on the internet. Spot the bus sized security hole.
The code sample is color coded because I needed to demonstrate to some non-techies what a mess things were, and showing them the language mish-mash like this worked well. Sorry if you only have a narrow screen; I didn't fancy trying to word-wrap it ...
Answer to the security hole below:
JSP Server-side scripting language
HTML Client display layout
Java Server-side programming language
JavaScript Client scripting language
SQL Database programming language
CSS Client display style
Code:
<script>
function saveSnippet(controlname) {
var myvalue = document.all[controlname].value;
mysql = "update mgruat.conf_component set <%=locale%>='"+cleanvalue(myvalue)+"' where id="+(controlname.substring(5));
processQueue(mysql);
document.all[controlname].style.backgroundColor="#ffffff";
}
</script>
...
<%for (int i = 0; i < queryResult.length; i++) { %>
...
<TD width="10"><INPUT style="width:300px;" onfocus="spansave<%=queryResult[i][0]%>.style.visibility='visible';this.style.background='#ffffcc'" value="<%=codedResult%>" type="Text" name="value<%=queryResult[i][0]%>"></TD>
<TD><span id="spansave<%=queryResult[i][0]%>" style="visibility:hidden;"><NOBR><a href='javascript:;' onclick='spansave<%=queryResult[i][0]%>.style.visibility="hidden";saveSnippet("value<%=queryResult[i][0]%>")'><img src="/contenteditor/icons/save.gif" width="18" height="18" alt="" border="0" align="absmiddle"/> save</a></NOBR></span></TD>
...
<%} %>
...
...
It's not there any more ;-P.
Digging the project out of this hole is what inspired me to write DWR.
Curious to the security hole? Answer in white on a white background below, select the text to view:
The SQL is embedded in Javascript and not Java, so the functions that it is passed to send the Javascript back to the server for execution. So altering the SQL to 'DROP DATABASE' is rather easy.