On security in web applications

  • Article

I learned this lesson the hard way. I used to manage the interoperability lab for the Outlook team, which is a lab with a bunch of different email and LDAP servers used for testing the POP/IMAP/SMTP/LDAP support in Outlook. In an effort to minimize the grunt work in this role as well as teach myself new skills, I learned enough ASP and script to write some web pages to automate repetitive tasks like account creation for certain servers. One of the web pages looked something like this:

My alias is \ . I would like 123 accounts on server1server2server3.

The domain\user were customizable to allow for users requesting accounts from shared machines where they wouldn't be logged in to their corp account, among other reasons. After clicking Submit on the form, the accounts would be created on the target servers and an email sent to the corporate email account of the requestor. The emails came on behalf of the outlook interop lab email account, so my name wasn't associated with them. I logged the requests to a file on the server but didn't check it regularly after I verified it was working.

For several months this worked wonderfully. Until one day I got mail from a microsoft employee wondering why they got this mail from the Outlook lab when they didn't request the accounts. I looked at the log and saw requests for accounts for gbush and dcheney and decided that I really needed to fix the pages so that the pranksters don't get me in trouble. But as always, life was busy and so I didn't get around to it that day. The next day:

> -----Original Message-----
> From: (General Manager of Outlook)
> Sent: Tuesday, August 15, 2000 4:09 PM
> To: KC Lemson
> Subject: FW: Your account request has been received
>
> ?
>
> -----Original Message-----
> From: Steven Sinofsky
> Sent: Tuesday, August 15, 2000 4:02 PM
> To: (General Manager of Outlook)
> Subject: FW: Your account request has been received
>
> Did we do this by accident in the lab?
>
> -----Original Message-----
> From: Bill Gates
> Sent: Tuesday, August 15, 2000 3:59 PM
> To: Steven Sinofsky
> Cc: Eric Rudder
> Subject: FW: Your account request has been received
>
> -----Original Message-----
> From: Outlook Interop Test Lab
> Sent: Tuesday, August 15, 2000 1:09 PM
> To: Bill Gates
> Subject: Your account request has been received
>
> It will be processed within an hour. Your account name is:
> billg-A1. You've requested an account on a platinum server.
> Don't forget that you'll need to use the domain 'outplat'
> when authenticating.

Needless to say, it got fixed real quick.