Entertaining little story

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
SeaJones
Forum Commoner
Posts: 48
Joined: Tue Jun 30, 2009 5:40 pm

Entertaining little story

Post by SeaJones »

Hey all,

Something rather entertaining happened over the last few days and I thought you lot would appreciate it's amusingness.

I was on a freelancing site, collecting simple pay-the-bills-because-some-tit-bought-a-server work, and I found a simple little job to correct some security vulnerabilities with some software. A piece of software for running mp3.com/soundclick style sites had various issues, including being able to run Blind-SQL Injections in URLs, being able to use direct SQL-injections on forms and being able to upload scripts and then activate them using the "upload a profile picture" option.

I was awarded the work based on my feedback and bid amount, and asked for access to the server on which it was installed. The client was unwilling to offer this, and sent me a zip file on which to alter the files instead.

They were a huge mess, and I found them a pain in the arse to read, let alone fix. But trawling through I fixed all the "$username=$_GET['username']" errors and use of $_GET stuff in SQL Queries without escaping or sanitisation of any sort one at a time. The files were a joke, using multiple references to $_GET['variable'] instead of just defining things and then referring to the variables by name.

I fixed the upload issues, but suggested also putting in place some changes to htaccess and file perms to make doubly sure, and this is when things got weird.

The guy said he didn't know how to do that, and I offered to make the changes myself for a few extra pounds, thinking that it would help him, and I'd get better feedback. He flat out refused which confused me. I tried to explain and again he refused. I marked the work as complete and left it, receiving another message a few days later:

"Ok, truth now. I am the general manager of [softwarehousename] and I need this software fixing so I can sell it. Will you help?"

This guy had me patching holes in awful software with the intention of creating a release candidate from it. I always thought I'd work that kind of thing out.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Entertaining little story

Post by califdon »

Entertaining, yes. But you didn't drop the other shoe: what was your reply? :twisted:
SeaJones
Forum Commoner
Posts: 48
Joined: Tue Jun 30, 2009 5:40 pm

Re: Entertaining little story

Post by SeaJones »

Ah well, it was a freelancing site, so I was contracted to finish what I started, so I sent him the software changed, but only the files he asked to be changed, pointed out the many other holes, and informed the site that the software was in my opinion not suitable for release due to inherent issues in the original code. I told him the same.
marty pain
Forum Contributor
Posts: 105
Joined: Thu Jun 11, 2009 5:32 am
Location: Essex

Re: Entertaining little story

Post by marty pain »

bit off topic, but what freelancing site do you use?
Post Reply