Always on time

A couple of days ago, an officemate initiated a jabber chat with me.  He told me that he found a problem on our online time sheet while he was tinkering with the firebug plugin.  Turns out there’s a hidden field for the login time that one can tamper with, and again no server-side validation for it.  Using firebug, one can update the value for the hidden field, and then use the form to submit.  The problem’s been escalated.  I wonder if they’ll fix it though… or simply dismiss it on account of “the users won’t do that.” 😛

Security fail

I came across an interesting bug the other day as I was trying to think of a good example of URL hacking. I entered the URL to our company’s online time sheet (OTS) onto my favorite browser and then backspaced a bit. I hit enter when the browser was pointed to and ta-dah… a directory listing.


Most interesting was that upon checking the contents of the folders, I came across a file with a .conf extension.  That made me do a double-take.  True enough, when I opened the file, it contained the DB server, username and password to our OTS. There was also a very helpful readme.txt file which cited the .conf file and the supposedly confidential information.  This has been fixed though that is, at least the access to the conf and readme files.  The directory listing can still be viewed. 😛

So much for nationalism

Singapare?! (Alt title:  So much for tourism)

I’ve been meaning to take a picture of my colleague’s magnet for some time. Never really gotten around to it until this morning.

At first glance, you won’t really notice it since it’s pretty much a very typical-looking souvenir magnet.  And then you do a double-take when you notice the text… Singapare?!