About Archive Tags RSS Feed


There is a reason why I test sites

16 July 2011 21:50

Recently I was at a pub and there was an advert for pub tokens displayed on the window. Seemed like a cute idea:

  • Buy & donate tokens which can be spent (only) on beer.

Perfect for friends, family, remote hackers/developers & similar.

When I got home I checked out their site. Seemed simple and nice enough, with good coverage (in terms of local drinking establishments that would accept their tokens).

I decided to sign up, with the intention of gifting my sister with some delicious beer. Unfortunately that's where it all went wrong.

I tend to act the same on all new sites. Partly to amuse myself, partly to get a feel for how safe/secure/good the site is, I'll try to login with a few different values.

You know you're in trouble when you see responses like this:

SELECT * FROM cms_module_pubtokens_users where email = '"'' AND
   password =''"' LIMIT 1

Fatal error: Call to a member function FetchRow() on a non-object in
  /home/pubtokens/U79P18WQ/htdocs/includes/functions.php on line 291

Suffice it to say I sent them an email, then poked them on twitter, but to no avail.

In conclusion they don't get my money, and I couldn't recommend them to anybody else at this point either. As I'm not a customer at least I can rest easy knowing my details haven't been compromised at any point over the past few months.

ObQuote: "It can't rain all the time" - The Crow



Comments on this entry

icon Tobias at 11:28 on 16 July 2011

And that's not the only one:



icon Steve Kemp at 11:30 on 16 July 2011

Nice catch.

I lost interest once I logged in as a random user and saw their details.

icon kunta kinte at 09:49 on 18 July 2011

So you managed to trigger an error message by inserting a special character! wow, how impressive. You must be a security expert.

icon Steve Kemp at 09:52 on 18 July 2011

The thing you're obviously missing is that from that error message you can login as any user - via the process of SQL injection.

Consider the two simplest cases - login with username & password of '. Then consider what happens if you were to login with a username of: ' or admin=1 --'.

Obviously details differ, but the application is broken. Like so many others, and not at all secure.