Wheedle.co.nz: experiences, comments

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification

Forums › Startups › Wheedle.co.nz: experiences, comments

1 | ... | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | ... | 36

2385 posts

Uber Geek
+1 received by user: 286
Inactive user

#693898 1-Oct-2012 09:22

Singned up and listed two $1 auctions. Signup process when OK and it accepted my mobile number.

Adding pictures to the auction does not seem to work. When I select them, they upload but dont seem to get added to the auction ...

Lets see what happens

gzt

18689 posts

Uber Geek
+1 received by user: 7828

Lifetime subscriber

#693900 1-Oct-2012 09:25

Password recovery mechanism is sending a plain text password. We all know what that means. Great.

freitasm

BDFL - Memuneh
80661 posts

Uber Geek
+1 received by user: 41078

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#693903 1-Oct-2012 09:28

Wow. Just wow. If there's a SQL injection vulnerability on Wheedle (and seriously, there must be one somewhere, with so bad development practices) that spells doom.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

cws82us

788 posts

Ultimate Geek
+1 received by user: 23

#693905 1-Oct-2012 09:38

look like to me they copy some stuff what trademe got. like jobs it looks the same thing to me

join Quic and get free sign up when you click my link https://account.quic.nz/refer/250676

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#693912 1-Oct-2012 09:48

freitasm: Wow. Just wow. If there's a SQL injection vulnerability on Wheedle (and seriously, there must be one somewhere, with so bad development practices) that spells doom.

I'll give you a hint. If you add an apostrophe to any input, any input at all, it bounces you to the 404 not found page. But not the ASP.NET 404 page, it redirects you to /Views/Shared/404.aspx - this indicates to me they are bouncing you based on the presence of the apostrophe, rather than cleaning or parameterising input. You can't even search for something with an apostrophe in it!

(Edit: or a hyphen for that matter. You can't search for anything with a hyphen in it. Good lord this site fails on so many levels).

dpw

843 posts

Ultimate Geek
+1 received by user: 16

ID Verified

Trusted

#693919 1-Oct-2012 09:55

Kyanar:
freitasm: Wow. Just wow. If there's a SQL injection vulnerability on Wheedle (and seriously, there must be one somewhere, with so bad development practices) that spells doom.

I'll give you a hint. If you add an apostrophe to any input, any input at all, it bounces you to the 404 not found page. But not the ASP.NET 404 page, it redirects you to /Views/Shared/404.aspx - this indicates to me they are bouncing you based on the presence of the apostrophe, rather than cleaning or parameterising input. You can't even search for something with an apostrophe in it!

(Edit: or a hyphen for that matter. You can't search for anything with a hyphen in it. Good lord this site fails on so many levels).

Well, in the search box near the top of the page it actually removes "special characters" onkeyup.

EDIT: and that function is part of a huge bunch of script on the page! In the middle of that bunch (those bunches?) there are chunks of commented out scripts. Obviously page speed is not a priority for these guys...

Android user, software developer, a semi-typical (not a gamer) geek, and a Bernese Mountain Dog nut!

http://savitarbernese.com | https://nz.linkedin.com/in/danywu

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#693929 1-Oct-2012 10:07

dpw: Well, in the search box near the top of the page it actually removes "special characters" onkeyup.

EDIT: and that function is part of a huge bunch of script on the page! In the middle of that bunch (those bunches?) there are chunks of commented out scripts. Obviously page speed is not a priority for these guys...

Aw crud. It only bounces you to the 404 not found page if there's one apostrophe. If there's two apostrophes, the input is accepted. Methinks that 404 not found page is also the default error page for... oh, I don't know... SqlException?

richms

29104 posts

Uber Geek
+1 received by user: 10222

Trusted

Lifetime subscriber

#693933 1-Oct-2012 10:12

Password length is 19 chars max, yet the field is 20 chars long.

Didnt like some characters in it.

Already looking like a failure at that point.

edit:

registered, took the confirmation number that I was emailed, and now everytime I log in I just get sent to

https://www.wheedle.co.nz/Views/Shared/404.aspx

and am not logged in.

Richard rich.ms

DoggNZ

437 posts

Ultimate Geek
+1 received by user: 9
Inactive user

#693940 1-Oct-2012 10:28

I really hope that Wheedle read this page and actually hire some developers who know what they're doing (instead of truck drivers copying and pasting..??) There needs to be decent competition to TM and I was hoping this would be it

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#693944 1-Oct-2012 10:31

richms: Password length is 19 chars max, yet the field is 20 chars long.

Didnt like some characters in it.

Already looking like a failure at that point.

edit:

registered, took the confirmation number that I was emailed, and now everytime I log in I just get sent to

https://www.wheedle.co.nz/Views/Shared/404.aspx

and am not logged in.

Is there an apostrophe in your password? If so, you're causing an SqlException when you log in. Otherwise, you're causing some other kind of Exception.

Batman

Mad Scientist
30014 posts

Uber Geek
+1 received by user: 6217

Trusted

Lifetime subscriber

#693945 1-Oct-2012 10:34

err ... fail of the year! haha - i share sam morgan's sentiments now!

Mighty Ape

Shop now at Mighty Ape (affiliate link).

Batman

Mad Scientist
30014 posts

Uber Geek
+1 received by user: 6217

Trusted

Lifetime subscriber

#693946 1-Oct-2012 10:35

mind you there is still a way to recover this ... but if they spent X millions creating this legless piece of wood ... the need to spend another 2-10x more to beat TM!

richms

29104 posts

Uber Geek
+1 received by user: 10222

Trusted

Lifetime subscriber

#693952 1-Oct-2012 10:37

Kyanar:

Is there an apostrophe in your password? If so, you're causing an SqlException when you log in. Otherwise, you're causing some other kind of Exception.

Nope, just 19 chars of mixed upper, lower and numerics

Heres some more gems I have found.

The password.

messed up layout or something

Someone not happy with being logged in as someone else.

Richard rich.ms

richms

29104 posts

Uber Geek
+1 received by user: 10222

Trusted

Lifetime subscriber

#693956 1-Oct-2012 10:41

So since it looks like they are chanign the search terms with javascript to remove things they dont like, has someone tried this yet? http://xkcd.com/327/

Richard rich.ms

floydbloke

3647 posts

Uber Geek
+1 received by user: 4554

ID Verified

#693958 1-Oct-2012 10:42

Another case of corporate marketing deadlines exceeding realistic delivery timeframes.

Sometimes I use big words I don't always fully understand in an effort to make myself sound more photosynthesis.

1 | ... | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | ... | 36