17Sep/072
lanuovastagione.it, il codice incriminato
Continuiamo a parlare di lanuovastagione.it, un altro degli scandali italiani.
L'applicativo non solo ci mette a disposizione il web.config.. ma ci mostra anche il codice sorgente.
Sei giorni sono passati. Di risposte o di fix nemmeno l'ombra. Credo che i tempi siano maturi per rilasciare pubblicamente il codice sorgente. L'applicativo è sviluppato in Visual Basic.NET. E' stato scelto di non compilare il codice, ma di lavorare in codebehind lasciando i sorgenti direttamente all'interno del server. Questo significa che, per ogni pagina aspx presente è possibile recuperare il codice sorgente andando ad interrogare il relativo file .aspx.vb.
Prestate attenzione alle query e alla gestione delle variabili "template".
NB : Il ragionamento si applica anche ai seguenti siti.
http://www.diregiovani.it/
http://www.dsonline.it/
http://www.saperidemocratici.it/
http://www.italiafrica.it/
http://bologna07.festaunita.it/
http://byebye900.festaunita.it/
Buona lettura.
Live http://www.lanuovastagione.it/gw/producer/dettaglio.aspx
Link http://www.lanuovastagione.it/gw/producer/index.aspx?t=\gw\producer\dettaglio.aspx.vb
1: Partial Class gw_producer_dettaglio
2: Inherits System.Web.UI.Page
3:
4: Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
5:
6: End Sub
7: Protected Sub Page_PreRender(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.PreRender
8: Dim id_doc As Integer = DOL.snippets.defval(Request("id_doc"), 0)
9: Dim meta As System.Collections.Hashtable = New System.Collections.Hashtable
10: Dim documento As storyega.documento = New storyega.documento(cenvironment.ConnectionString, id_doc)
11: meta = documento.getMeta
12: 'checkRights(meta)
13: Dim template As String = DOL.snippets.defval(Request("t"), "")
14:
15: If template.Length = 0 Then
16: template = DOL.snippets.defval(DOL.utility.sql.getSQLSingleValue("select templatepath from gw_doc_plain where id=" & id_doc, cenvironment.ConnectionString), "/gw/template/dettaglio.htm")
17: End If
18:
19: 'CODICE SPECIFICO AXIA
20: 'Inserire qui il codice utente necessario per inizializzare la pagina
21: Try
22: glamwareadapter.initialize(Me, template, cenvironment.ConnectionString, "/", Me.Context, meta)
23: Catch ex As Exception
24: Response.Write("error on: " & template)
25: 'Response.Redirect("http://wwww.dsonline.it" & template & "?id_doc=" & id_doc)
26: End Try
27: End Sub
28:
29: Private Function getDataDoc(ByVal id_doc As Integer) As Date
30: Dim sql As String = String.Format("SELECT data_doc FROM DOCUMENTO WHERE id_doc={0} ", id_doc)
31: Dim datadoc As Date = Nothing
32: Try
33: datadoc = DOL.utility.DB.SQLClient.getSingleValue(cenvironment.ConnectionString, sql)
34: Catch ex As Exception
35: End Try
36: Return datadoc
37: End Function
38: End Class
Live http://www.lanuovastagione.it/gw/producer/index.aspx
Link : http://www.lanuovastagione.it/gw/producer/index.aspx?t=\gw\producer\index.aspx.vb
1: Partial Class gw_producer_index
2:
3: Inherits System.Web.UI.Page
4:
5: Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
6: End Sub
7:
8: Protected Sub Page_PreRender(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.PreRender
9: 'Dim navman As StoryeGA.StoryeNavigationManager
10: 'navman = New StoryeGA.StoryeNavigationManager(Navigatore)
11: 'navman.connectionString = cenvironment.ConnectionString
12: 'navman.PageDimension = DOL.snippets.defval(Request("pd"), DOL.snippets.GetConfigKey("recperpage"))
13: 'Select Case DOL.snippets.defval(Request("o"), 1)
14: ' Case 0
15: ' navman.Sorting = dolClasses.dolTypes.Ordinamento.Crescente
16: ' navman.sqlSortFieldName = "sortorder"
17: ' Case 1
18: ' navman.Sorting = dolClasses.dolTypes.Ordinamento.Decrescente
19: ' navman.sqlSortFieldName = "sortorder"
20: ' Case 2
21: ' navman.Sorting = dolClasses.dolTypes.Ordinamento.Crescente
22: ' navman.sqlSortFieldName = "ID"
23: ' Case 3
24: ' navman.Sorting = dolClasses.dolTypes.Ordinamento.Decrescente
25: ' navman.sqlSortFieldName = "ID"
26: ' Case 4
27: ' navman.Sorting = dolClasses.dolTypes.Ordinamento.Crescente
28: ' navman.sqlSortFieldName = "text3"
29: ' Case 5
30: ' navman.Sorting = dolClasses.dolTypes.Ordinamento.Decrescente
31: ' navman.sqlSortFieldName = "ID"
32: 'End Select
33: ' ''navman.Sorting = dolClasses.dolTypes.Ordinamento.Decrescente
34: ' ''navman.sqlTableName = "VIEW_ATTR_VIDEOPOST_EXT"
35: ' ''navman.sqlSortFieldName = "id_blogdoc"
36: ' ''navman.go()
37: ''Dim param As System.Collections.SortedList = New System.Collections.SortedList
38: 'Dim param As New System.Collections.Hashtable
39: 'param.Add("AREA", DOL.snippets.defval(Request("AREA"), Nothing))
40: 'param.Add("GPL", DOL.snippets.defval(Request("GPL"), Nothing))
41: 'param.Add("TIPODOC", DOL.snippets.defval(Request("TIPODOC"), Nothing))
42: 'Dim pipo As StoryeGA.ListDocNavmanagerMetaBuilder = New StoryeGA.ListDocNavmanagerMetaBuilder(cenvironment.ConnectionString, navman)
43: 'pipo.setParam(param)
44: 'Dim meta As System.Collections.Hashtable = New System.Collections.Hashtable
45: 'meta.Add("DOC", pipo.getMeta)
46: 'Dim template As String = DOL.snippets.defval(Request("t"), "")
47: ''Inserire qui il codice utente necessario per inizializzare la pagina
48: 'Try
49: ' glamwareadapter.initialize(Me, template, cenvironment.ConnectionString, "/", Me.Context, meta)
50: 'Catch ex As Exception
51: ' Response.Write(ex.Message)
52: ' Response.End()
53: 'End Try
54: Dim navman As storyega.StoryeNavigationManager
55: navman = New storyega.StoryeNavigationManager(Navigatore)
56: navman.connectionString = cenvironment.ConnectionString
57: navman.PageDimension = DOL.snippets.defval(Request("pd"), DOL.snippets.GetConfigKey("recperpage"))
58:
59: Select Case DOL.snippets.defval(Request("o"), 1)
60: Case 0
61: navman.Sorting = dolClasses.dolTypes.Ordinamento.Crescente
62: navman.sqlSortFieldName = "sortorder"
63: Case 1
64: navman.Sorting = dolClasses.dolTypes.Ordinamento.Decrescente
65: navman.sqlSortFieldName = "sortorder"
66: Case 2
67: navman.Sorting = dolClasses.dolTypes.Ordinamento.Crescente
68: navman.sqlSortFieldName = "ID"
69: Case 3
70: navman.Sorting = dolClasses.dolTypes.Ordinamento.Decrescente
71: navman.sqlSortFieldName = "ID"
72: Case 4
73: navman.Sorting = dolClasses.dolTypes.Ordinamento.Crescente
74: navman.sqlSortFieldName = "text3"
75: Case 5
76: navman.Sorting = dolClasses.dolTypes.Ordinamento.Decrescente
77: navman.sqlSortFieldName = "text3"
78: End Select
79:
80: Dim param As System.Collections.Hashtable = New System.Collections.Hashtable
81: param.Add("AREA", DOL.snippets.defval(Request("AREA"), Nothing))
82: param.Add("GPL", DOL.snippets.defval(Request("GPL"), Nothing))
83: param.Add("TIPODOC", DOL.snippets.defval(Request("TIPODOC"), Nothing))
84:
85: Dim pipo As storyega.ListDocNavmanagerMetaBuilder = New storyega.ListDocNavmanagerMetaBuilder(cenvironment.ConnectionString, navman)
86: pipo.setParam(param)
87: Dim meta As System.Collections.Hashtable = New System.Collections.Hashtable
88: meta.Add("DOC", pipo.getMeta)
89: Dim template As String = DOL.snippets.defval(Request("t"), "")
90: 'Inserire qui il codice utente necessario per inizializzare la pagina
91: Try
92: glamwareadapter.initialize(Me, template, cenvironment.ConnectionString, "/", Me.Context, meta)
93: Catch ex As Exception
94: Response.Write(ex.Message)
95: Response.End()
96: End Try
97: End Sub
98: End Class
Live http://www.lanuovastagione.it/servizi/ec/contributi.aspx
Link http://www.lanuovastagione.it/gw/producer/index.aspx?t=\servizi\ec\contributi.aspx
1: Imports DOL.utility
2:
3: Partial Class contributi
4: Inherits System.Web.UI.Page
5:
6: Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
7: 'Inserire il codice da eseguire prima degli eventi di pagina
8: End Sub
9:
10: Protected Sub Page_PreRender(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.PreRender
11: 'Inserire il codice da eseguire dopo gli eventi di pagina
12: Dim template As String = DOL.snippets.defval(Request("t"), "")
13: If template.Length = 0 Then template = "/servizi/ec/contributi.htm"
14: 'Inserire qui il codice utente necessario per inizializzare la pagina
15: glamwareadapter.initialize(Me, template, cenvironment.ConnectionString, "/", Me.Context, Nothing)
16: End Sub
17:
18: Private Sub btInvia_Click(ByVal sender As System.Object, ByVal e As System.Web.UI.ImageClickEventArgs) Handles btInvia.Click
19: If Page.IsValid Then
20:
21: ''' invia i dati alla banca
22: 'Inserire qui il codice utente necessario per inizializzare la pagina
23: 'Me.lblResult.Text = MAC
24: Dim flag As Integer = 0
25:
26: Dim _importo As Long = Val(Me.txImporto.Text) * 100
27: flag += 1
28: Me.Label1.Text &= flag & " "
29: Dim bankpass As New CBankPass
30: bankpass = New CBankPass(_importo)
31: flag += 1
32: Me.Label1.Text &= flag & " "
33:
34: Dim rp As New DOL.RemotePost
35: With rp
36: .Add("IMPORTO", _importo)
37: .Add("VALUTA", bankpass.Valuta)
38: .Add("NUMORD", bankpass.Numord)
39: .Add("IDNEGOZIO", bankpass.Idnegozio)
40: flag += 1
41: Me.Label1.Text &= flag & " "
42: .Add("URLBACK", bankpass.Urlback & "?NUMORD=" & Server.UrlEncode(bankpass.Numord))
43: flag += 1
44: Me.Label1.Text &= flag & " "
45: .Add("URLDONE", bankpass.Urldone)
46: .Add("URLMS", bankpass.Urlms)
47: .Add("TCONTAB", bankpass.Tcontab)
48: .Add("TAUTOR", bankpass.Tautor)
49: .Add("MAC", bankpass.MACRequest(Me.Server))
50: flag += 1
51: Me.Label1.Text &= flag & " "
52: .Url = bankpass.Bankpassurl
53:
54: ' prima di inviare salvo su database il tentativo di transazione
55: Dim sql As String = ""
56: Dim fields As New System.Collections.Specialized.NameValueCollection
57: With fields
58: .Add("nome", DB.Common.SQLTConv(Me.txNome.Text))
59: .Add("cognome", DB.Common.SQLTConv(Me.txCognome.Text))
60: .Add("email", DB.Common.SQLTConv(Me.txEmail.Text))
61: .Add("telefono", DB.Common.SQLTConv(Me.txTelefono.Text))
62: .Add("citta", DB.Common.SQLTConv(Me.txCitta.Text))
63: .Add("cap", DB.Common.SQLTConv(Me.txCap.Text))
64: .Add("provincia", DB.Common.SQLTConv(Me.txProvincia.Text))
65: .Add("importo", DB.Common.SQLNConv(CType(_importo, Double) / 100.0))
66: .Add("valuta", DB.Common.SQLNConv(bankpass.Valuta))
67: .Add("numord", DB.Common.SQLTConv(bankpass.Numord))
68: .Add("tcontab", DB.Common.SQLTConv(bankpass.Tcontab))
69: .Add("tautor", DB.Common.SQLTConv(bankpass.Tautor))
70: .Add("inlist", IIf(Me.ckPublic.Checked, 1, 0))
71: End With
72: Me.Label1.Text &= flag & " "
73: .Url = bankpass.Bankpassurl
74:
75: sql = DB.Common.BuildSQLINSERT("LOOKUP_TRANSAZIONI", fields)
76: Me.Label1.Text &= "<br>" & sql & "<br>" & cenvironment.ConnectionString
77: 'Exit Sub
78: Try
79: DB.SQLClient.doexec(cenvironment.ConnectionString, sql)
80: 'Me.Label1.Text &= flag & " "
81: 'Exit Sub
82: '.Url = bankpass.Bankpassurl
83: .Post()
84: Catch ex As Exception
85: Me.Label1.Text = ex.Message
86: Finally
87: End Try
88: End With
89: End If
90: End Sub
91:
92: Private Sub CustomValidator1_ServerValidate(ByVal source As System.Object, ByVal args As System.Web.UI.WebControls.ServerValidateEventArgs) Handles CustomValidator1.ServerValidate
93: args.IsValid = IsNumeric(Me.txImporto.Text)
94:
95: If Not args.IsValid Then
96: Return
97: End If
98:
99: For i As Integer = 1 To Me.txImporto.Text.Length
100: Dim s As String = Mid(Me.txImporto.Text, i, 1)
101: If Not ("0" <= s And s <= "9") Then
102: args.IsValid = False
103: Return
104: End If
105: Next
106: args.IsValid = True
107: End Sub
108: End Class
September 28th, 2007 - 10:13
Sbagliare è umano.
Perseverare per 16 giorni (dal primo advisory, 12 SET ad oggi, 28 SET) è idiota… er… italiota.
Normalmente preferisco “responsible disclosure” o almeno RFPolicy, ma in questo caso, evidentemente, il tempo ti ha dato ragione.
Ciao
October 4th, 2007 - 14:11
Beh non male, se questa e la nuovastagione, era meglio “er puzzone”.
Se non sapete chi e’ ve lo posso dire io
Grande A