380

I am at a loss for words. This JavaScript powers the login of a company's intranet

Comments
  • 43
    What the.... does someone not know how to use a WHERE clause?
  • 20
    O M G.
  • 39
    No, please NO! Tell me this is just a lame joke!
  • 62
    Why the fuck is there an API service calling SQL?
  • 59
    @nblackburn SQL injection made easy, you know πŸ˜‚
  • 71
    Let's not miss the TODO at the top because... That would be better?
  • 36
    @pstuart2 Of course, if the file is named secret.js and starts with a comment warning not to edit or read that file
  • 10
    speechless
  • 68
    I love how it checks if true is still true lol
  • 5
    WHAT THE HELLLLL???
  • 4
    Haha now that's a good one
  • 21
    This has to be fake. If true = true return false block gives it away as a lame attempt to show bad code.

    At least that's my assessment of this. I could wrong, and this could actually be someone's real code, and exposed on the internet somewhere. :P
  • 5
    @yo-adrian intranet*
  • 9
    @fyroc wait that's what caught your eye? Not the fact that some api accepts sql queries?
  • 3
    I saw that and typed internet, thinking, if the code is that bad... anything is possible, code could float up to the internet someday.
  • 6
    @yo-adrian He did say intranet so not exposed (if it is a large company it is still problematic as hell though).

    I would not be surprised if it was real, i've seen much worse. (Non technical companies buying custom software from the lowest bidder and getting pretty much what they pay for isn't all that uncommon)
  • 14
    ' if ("true" == "true") ' Nice :D
  • 13
    @ChappIO And that the passwords are stored in plaintext 😰😱
  • 7
    Ok....
    I hope the original dev was found behind the shed, with a bullet holes in both hands, and the head.
  • 0
    @ItsNotMyFault uhm and itsNotYourFault... 😁
  • 0
    @ItsNotMyFault yeah, see my explanation. I probably should have thrown that in my first response.
  • 2
    could have been written by my former "lead dev". i think i don't have to tell you the reason he's no more.
  • 2
    I am very confused about line 556
  • 0
    @srivmanu he just felt like wasting an if. If it's true, it won't leave continue past the for, so he's just being silly with the base case
  • 0
    What to the actual fuck lol
  • 0
    Shit on me!
  • 1
    What site is that??
  • 10
    "DROP TABLE users;" anyone? xD
  • 1
    Wow... Someone needs fired.
  • 0
    @qbasic16 @arantr Explain? I don't see a vulnerability.
  • 1
    @ronakkaria @ronakkaria Well obviously the passwords are stored in clear text, so you basically have every pw of every user ;)
    Maybe you can't hack the DB, but even then it is a huuuuuuge fail.
  • 5
    @ronakkaria Because of the <script> tags I assume that this JS code is run on the client side (in the browser). So anyone can go and edit the code and use the exposed API to run *any* SQL queries like `drop table users;` and similar. And apiService seems to be global, so console is enough.

    And the fact that you have access to every password in the system is a problem not only for this system but also because most users tend to reuse the passwords in multiple services... so...
  • 4
    Dude....

    My ministry of DEFENSE is running Joomla 1.5.
    😐😐😐😐😐

    And no I won't say which country :D
  • 5
    @antonis179 Wild guess: Greece?
  • 1
    @arantr
    Gotta change that username πŸ€”πŸ€”
    But I didn't say it! πŸ‘ΌπŸ‘ΌπŸ‘Ό
  • 0
    O. M. F. G. 😨
  • 0
    @ChappIO I mean I didn't want to assume that this was Frontend. Could've been an electron or Cordova app
  • 1
    @fyroc but even then... Just extract the app package and there you go. Happens...
  • 0
    @yo-adrian i guees you are right. "true" == "true" (its a String!!!!)... Thats to lame.

    Even if its in Intranet...
  • 4
    The most beautiful part is that he retrieve the whole user table... with what we can assume, password in clear!!
  • 5
    @arantr @qbasic16 ohh.. didn't even notice this was client side :P. Brain fart. Saw sql and apiService and, just imagined this as node. (Fail)

    #dehydrated

    Now with a clearer head I see that call to get the accounts is treated as synchronous. There's no callbacks! Wut. So this cannot even work. This is a joke right?
  • 2
    @qbasic16 noticed the passwords thing before. Didn't see the sql injection. Lol. I need sleep
  • 7
    if("true" === "true"){
    return false;
    }
    πŸ˜­πŸ˜’πŸ˜‚

    Oh my. So many things wrong with it I cannot hold...all the jokes....brain freeze.
  • 1
    Can you git blame that please so none of use will ever hire this person.
  • 0
    The passwords are stored in plain text??
    The stupidity of "professionals" never ceases to amaze me
  • 0
    stores passwords in plain text file called passwords.txt
  • 6
    Two wrongs a right do not make.

    But two trues make a false...
    ...according to that javascript which looks fake.
  • 4
    @srivmanu me too. then it would return false? that would showthe error message right? or not? haha. I think my logic is failing XD
  • 0
    You gonna have to give credit to the man, he wants to put the js-code into a different file, for better security i guess πŸ˜…
  • 2
    I can't stand the pain, this is wrong in so many ways.
  • 2
    There is no need for a sql injection just modify the js to be true always and Tada no authentication!!
  • 0
    Haha true === true of course. This is the worst implementation on login I've ever seen. Doesn't someone know about server side code?
  • 5
    "Oh yes, little Bobby tables we call him.."
  • 0
    This is the best I have seen all day πŸ˜…
  • 0
    Fuck dis shit man, that ain't right!
  • 1
    Only single line have no security flaws - comment
  • 1
    You could have a lot of fun with that in the console.
  • 2
    This code doesn't work cause the http call is async.
  • 1
  • 0
    @one541 TIL
  • 0
    I'm surprised by first todo, then I'm confused by SQL API call? I totally doubt my life when true true thing comes...
  • 1
    #rantOfTheWeek congratz
  • 2
    It's getting harder to breathe. My face is turning blue. There's only fear in my eyes.
  • 6
    MY EYES !
  • 1
    Console.log (accounts) πŸ˜‰
  • 4
    I think this was made by someone who just started coding. Otherwise this was made by a pm who thought that devs are a waste of cash.
  • 2
    πŸ˜•
  • 0
    @nblackburn actually, not that long ago Facebook offered the same thing. It was called FQL and you could run queries on the Facebook API. This was available till august last year.
  • 1
    @Sauruz What does that have to do with this?
  • 2
    If true is true it's false :D
  • 1
    It's only missing a 'goto'
  • 0
    @nblackburn maybe I misinterpreted your comment. I thought you were wondering why someone would have an API where you could do SQL queries. So I thought it would be useful to mention that Facebook thought it was useful till last year.
  • 0
    @Sauruz Does the developer above look capable of that?
  • 0
    @nblackburn I have no idea, don't know the guy/girl.
  • 0
    @Sauruz I meant from the shitty code :P
  • 0
    I'm sleeping now. Wake me up when this is fixed!
  • 0
    @antonis179 or you could change your location
  • 1
    @zubin10 but to what... Maybe Mars? Hmmmmm
  • 2
    WTF this can't be real... This would also suggest that the passwords are not encrypted?!
  • 0
    This is so funπŸ˜‚πŸ˜‚
    only if this was real, oh. wait a sec-πŸ˜‘
  • 4
    This is code rape. Please someone arrest the guy who wrote this
  • 1
    My fucking eyes!!! This is disgusting!
  • 1
    If there is somebody getting paid to do that, I can get it too, even without any professional experience! Better than that I certainly do.
  • 0
    It can be worse, the SQL user can have power to drop tables too...
  • 0
    And to think that the best improvement the author could think of was abstract this garbage to a different file.. lmfao πŸ˜‚
Add Comment