About Archive Tags RSS Feed

 

There is a reason why I test sites

16 July 2011 21:50

Recently I was at a pub and there was an advert for pub tokens displayed on the window. Seemed like a cute idea:

  • Buy & donate tokens which can be spent (only) on beer.

Perfect for friends, family, remote hackers/developers & similar.

When I got home I checked out their site. Seemed simple and nice enough, with good coverage (in terms of local drinking establishments that would accept their tokens).

I decided to sign up, with the intention of gifting my sister with some delicious beer. Unfortunately that's where it all went wrong.

I tend to act the same on all new sites. Partly to amuse myself, partly to get a feel for how safe/secure/good the site is, I'll try to login with a few different values.

You know you're in trouble when you see responses like this:

SELECT * FROM cms_module_pubtokens_users where email = '"'' AND
   password =''"' LIMIT 1

Fatal error: Call to a member function FetchRow() on a non-object in
  /home/pubtokens/U79P18WQ/htdocs/includes/functions.php on line 291

Suffice it to say I sent them an email, then poked them on twitter, but to no avail.

In conclusion they don't get my money, and I couldn't recommend them to anybody else at this point either. As I'm not a customer at least I can rest easy knowing my details haven't been compromised at any point over the past few months.

ObQuote: "It can't rain all the time" - The Crow

| 4 comments

 

Comments on this entry

icon Tobias at 11:28 on 16 July 2011

And that's not the only one:

https://www.pubtokens.com/index.php?page=signin&errtxt=%3Ch1%20onclick=alert%28%27noooo%27%29%3ENOOOO%3C/h1%3E

gaaahhh

icon Steve Kemp at 11:30 on 16 July 2011
http://www.steve.org.uk/

Nice catch.

I lost interest once I logged in as a random user and saw their details.

icon kunta kinte at 09:49 on 18 July 2011

So you managed to trigger an error message by inserting a special character! wow, how impressive. You must be a security expert.

icon Steve Kemp at 09:52 on 18 July 2011
http://www.steve.org.uk/

The thing you're obviously missing is that from that error message you can login as any user - via the process of SQL injection.

Consider the two simplest cases - login with username & password of '. Then consider what happens if you were to login with a username of: ' or admin=1 --'.

Obviously details differ, but the application is broken. Like so many others, and not at all secure.