There is a reason why I test sites

Saturday, 16 July 2011

Recently I was at a pub and there was an advert for pub tokens displayed on the window. Seemed like a cute idea:

  • Buy & donate tokens which can be spent (only) on beer.

Perfect for friends, family, remote hackers/developers & similar.

When I got home I checked out their site. Seemed simple and nice enough, with good coverage (in terms of local drinking establishments that would accept their tokens).

I decided to sign up, with the intention of gifting my sister with some delicious beer. Unfortunately that's where it all went wrong.

I tend to act the same on all new sites. Partly to amuse myself, partly to get a feel for how safe/secure/good the site is, I'll try to login with a few different values.

You know you're in trouble when you see responses like this:

SELECT * FROM cms_module_pubtokens_users where email = '"'' AND
   password =''"' LIMIT 1

Fatal error: Call to a member function FetchRow() on a non-object in
  /home/pubtokens/U79P18WQ/htdocs/includes/functions.php on line 291

Suffice it to say I sent them an email, then poked them on twitter, but to no avail.

In conclusion they don't get my money, and I couldn't recommend them to anybody else at this point either. As I'm not a customer at least I can rest easy knowing my details haven't been compromised at any point over the past few months.

ObQuote: "It can't rain all the time" - The Crow

| 4 comments.

 

Comments On This Entry

[gravitar] Tobias

Submitted at 11:28:33 on 16 july 2011

And that's not the only one:

https://www.pubtokens.com/index.php?page=signin&errtxt=%3Ch1%20onclick=alert%28%27noooo%27%29%3ENOOOO%3C/h1%3E

gaaahhh

[author] Steve Kemp

Submitted at 11:30:04 on 16 july 2011

Nice catch.

I lost interest once I logged in as a random user and saw their details.

[gravitar] kunta kinte

Submitted at 09:49:57 on 18 july 2011

So you managed to trigger an error message by inserting a special character! wow, how impressive. You must be a security expert.

[author] Steve Kemp

Submitted at 09:52:47 on 18 july 2011

The thing you're obviously missing is that from that error message you can login as any user - via the process of SQL injection.

Consider the two simplest cases - login with username & password of '. Then consider what happens if you were to login with a username of: ' or admin=1 --'.

Obviously details differ, but the application is broken. Like so many others, and not at all secure.

 

Comments are closed on posts which are more than ten days old.

Recent Posts

Recent Tags