KC Lemson

By KC Lemson [MS]

Blogs

On security in web applications

  • Comments 4
  • Likes

I learned this lesson the hard way. I used to manage the interoperability lab for the Outlook team, which is a lab with a bunch of different email and LDAP servers used for testing the POP/IMAP/SMTP/LDAP support in Outlook. In an effort to minimize the grunt work in this role as well as teach myself new skills, I learned enough ASP and script to write some web pages to automate repetitive tasks like account creation for certain servers. One of the web pages looked something like this:

My alias is \ . I would like accounts on .

The domain\user were customizable to allow for users requesting accounts from shared machines where they wouldn't be logged in to their corp account, among other reasons. After clicking Submit on the form, the accounts would be created on the target servers and an email sent to the corporate email account of the requestor. The emails came on behalf of the outlook interop lab email account, so my name wasn't associated with them. I logged the requests to a file on the server but didn't check it regularly after I verified it was working.

For several months this worked wonderfully. Until one day I got mail from a microsoft employee wondering why they got this mail from the Outlook lab when they didn't request the accounts. I looked at the log and saw requests for accounts for gbush and dcheney and decided that I really needed to fix the pages so that the pranksters don't get me in trouble. But as always, life was busy and so I didn't get around to it that day. The next day:

> -----Original Message-----
> From: (General Manager of Outlook)
> Sent: Tuesday, August 15, 2000 4:09 PM
> To: KC Lemson
> Subject: FW: Your account request has been received
>
> ?
>
> -----Original Message-----
> From: Steven Sinofsky
> Sent: Tuesday, August 15, 2000 4:02 PM
> To: (General Manager of Outlook)
> Subject: FW: Your account request has been received
>
> Did we do this by accident in the lab?
>
> -----Original Message-----
> From: Bill Gates
> Sent: Tuesday, August 15, 2000 3:59 PM
> To: Steven Sinofsky
> Cc: Eric Rudder
> Subject: FW: Your account request has been received
>
> -----Original Message-----
> From:   Outlook Interop Test Lab
> Sent:   Tuesday, August 15, 2000 1:09 PM
> To:     Bill Gates
> Subject:        Your account request has been received
>
> It will be processed within an hour. Your account name is:
> billg-A1. You've requested an account on a platinum server.
> Don't forget that you'll need to use the domain 'outplat'
> when authenticating.

Needless to say, it got fixed real quick.

Comments
  • It's good that you have not tested HR system ;o)

    > -----Original Message-----
    > From: Human Resources Lab
    > Sent: Tuesday, August 15, 2000 1:09 PM
    > To: Bill Gates
    > Subject: Your leave request has been received
    >
    > It will be processed within an hour.
    > You will recive a competive laid-off compesation package.
    > Thanks for working in Microsoft

  • Any chance on releasing that script? would be mighty useful to me :D

    of course, i'll put it behind .htauth or something :)

  • I have a script which does more or less the same thing here: http://www-numi.fnal.gov:80/HyperNews/get/HNtest.html?embed=-1

  • Hi John,

    That site is password protected so I can't see the script that you wrote.