This tuesday I saw a really badly made PHP web application. Two actually. I was giving a time estimate for how long it would take to transfer these applications to our servers. While I was reading the code it became apparent that they had more security holes than Emmental cheese. Most views had obvious SQL-injection vulnerabilities and most probably XSS too. Although I didn't think too look for XSS in the moment. It just puzzled me that this bad code even exists.

But cherry on top was that the password wasn't checked at all. The login form was on the organization's website and was sent to the selected application. But the password wasn't checked in the application. And this was made by a real Finnish software development firm, like what the fuck.

Time to redo the applications I guess. Not like there's anything wrong in that if they pay for it.

  • 0
    There are security holes in cheese?
    Damn, I had no idea!
    Are there patches available?

    How old were the applications btw?
  • 0
    @Rotten I have no idea how old the code is. It's using PHP 5, XHTML and table layouting. But old shouldn't mean it's bad code, right?
Add Comment