[ic] Re: example of bad web programming

Matt Flaherty interchange-users@lists.akopia.com
Fri Jun 1 06:18:01 2001


> This isn't exactly on topic, but was so funny I had to put up a link
> somewhere. :)
>
>
https://online.bankone.com/bank/bolLogin.asp?bolErrorMsgStr=This+is+Stupid+I
+Think
>
> This is a legitimate web site.  It is actually bankone.com.  The
> foible is that they allow an arbitrary text message to be put in the
> url.  I don't think there's any real way to exploit this, per se.
> However, it just stinks to me as bad design.
>
> As an asside, I wonder if there's a way to force a buffer overflow
> with this?
> --
>  (__) Doug Alcorn (mailto:doug@lathi.net http://www.lathi.net)
>  oo / PGP 02B3 1E26 BCF2 9AAF 93F1  61D7 450C B264 3E63 D543
>  |_/  If you're a capitalist and you have the best goods and they're
>       free, you don't have to proselytize, you just have to wait.

For kicks, try this URL (you'll have to copy and paste it in)

https://online.bankone.com/bank/bolLogin.asp?bolErrorMsgStr=<img%20src="http
://developer.akopia.com/ic/images/foundation/logo.gif">

If you're going to do something like this, you should at least encode the
special characters. The area of the page in which the image displays is
inside of a form tag, so you might imagine inserting an arbitrary form field
to compromise security somehow. Buffer overflow seems unlikely, though.

-Matt