Apps

A well-known address – The Daily WTF

11 months ago
Apps
No Comments

AmandaThe company wanted to limit access to the service by filtering the requester’s IP address. Yes, this is terrible idea. So they wanted to make it a little smarter and filter it on various subnets. But they had a LOT of different subnets.

So the result was this:

ok = 0
ip = Request.ServerVariables("REMOTE_ADDR")
if ip = "xxx.xxx.xxx.xxx" or ip = "xxx.xxx.xxx.xxx" or ip = "xxx.xxx.xxx.xxx" or ip = "xxx.xxx.xxx.xxx" or ip = "xxx.xxx.xxx.xxx" or ip = "xxx.xxx.xxx.xxx" or ip = "xxx.xxx.xxx.xxx" or ip = "xxx.xxx.xxx.xxx" or ip = "xxx.xxx.xxx.xxx" or ip = "xxx.xxx.xxx.xxx" or ip = "xxx.xxx.xxx.xxx" then
        ok = 1
end if

ip2 = Split(ip,".")
ip3 = ip2(0) &"."& ip2(1) &"."& ip2(2)

if ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx"  or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" then
        ok = 1
end if

if ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" or ip3 = "xxx.xxx.xxx" then
        ok = 1
end if

if ok = 1 then
        response.redirect "http://www.somedomain.com/something/that/is/meant/to/be/private"
else
        response.redirect "index.asp?error=1"
end if

Imagine that every xxx part of the IP address is located. Blank as in the original, apologies to your scrollbar.

This code is quite old – classic ASP, but it was still in use a decade ago. It just so happens that Amanda was working on it. She did the sane thing and deleted this block and just used the authentication system the app already had. Customers were happy, because it meant they didn’t have to whitelist their IP address, they just could Apply.

At least one manager was unhappy, because they were convinced that by whitelisting they were enforcing a “per seat” license – “Each computer has a unique IP address!” they insisted. “Without this verification, they could log in from any computer, anywhere!”

Fortunately, that manager was eventually rejected when someone suggested that this would give each user their own account, preventing two people from sharing the same computer.

[Advertisement]

Otter – Secure your servers automatically without the need to log into the command line. Get started today!

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Apps

Small Partition – The Daily WTF

9 months ago
Apps
Apps

Email theme in PrestaShop using the module

9 months ago
Apps
Apps

Odoo AI Engine Using LLM (Ollama) User Manual

9 months ago
Apps
Apps

CodeSOD: Top Level Validator

9 months ago
Apps