Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsStartupsWheedle.co.nz: experiences, comments
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | ... | 36


2385 posts

Uber Geek
+1 received by user: 286
Inactive user


  Reply # 693898 1-Oct-2012 09:22
Send private message

Singned up and listed two $1 auctions. Signup process when OK and it accepted my mobile number.

Adding pictures to the auction does not seem to work. When I select them, they upload but dont seem to get added to the auction ...

Lets see what happens

gzt

9579 posts

Uber Geek
+1 received by user: 1398


Reply # 693900 1-Oct-2012 09:25
Send private message

Password recovery mechanism is sending a plain text password. We all know what that means. Great.

 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software
BDFL - Memuneh
59999 posts

Uber Geek
+1 received by user: 11098

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 693903 1-Oct-2012 09:28
Send private message

Wow. Just wow. If there's a SQL injection vulnerability on Wheedle (and seriously, there must be one somewhere, with so bad development practices) that spells doom.





Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) | Backblaze cloud backup (personal and business)My technology disclosure  

 

You can support content creators (and Geekzone) by using the Brave browser.

726 posts

Ultimate Geek
+1 received by user: 6


  Reply # 693905 1-Oct-2012 09:38
Send private message

look like to me they copy some stuff what trademe got. like jobs it looks the same thing to me




               The Biggest and the Best.

2940 posts

Uber Geek
+1 received by user: 428

Trusted
Subscriber

  Reply # 693912 1-Oct-2012 09:48
Send private message

freitasm: Wow. Just wow. If there's a SQL injection vulnerability on Wheedle (and seriously, there must be one somewhere, with so bad development practices) that spells doom.



I'll give you a hint.  If you add an apostrophe to any input, any input at all, it bounces you to the 404 not found page.  But not the ASP.NET 404 page, it redirects you to /Views/Shared/404.aspx - this indicates to me they are bouncing you based on the presence of the apostrophe, rather than cleaning or parameterising input.  You can't even search for something with an apostrophe in it!

(Edit: or a hyphen for that matter.   You can't search for anything with a hyphen in it.  Good lord this site fails on so many levels).

dpw

810 posts

Ultimate Geek
+1 received by user: 13

Trusted

  Reply # 693919 1-Oct-2012 09:55
Send private message

Kyanar:
freitasm: Wow. Just wow. If there's a SQL injection vulnerability on Wheedle (and seriously, there must be one somewhere, with so bad development practices) that spells doom.



I'll give you a hint.  If you add an apostrophe to any input, any input at all, it bounces you to the 404 not found page.  But not the ASP.NET 404 page, it redirects you to /Views/Shared/404.aspx - this indicates to me they are bouncing you based on the presence of the apostrophe, rather than cleaning or parameterising input.  You can't even search for something with an apostrophe in it!

(Edit: or a hyphen for that matter.   You can't search for anything with a hyphen in it.  Good lord this site fails on so many levels).


Well, in the search box near the top of the page it actually removes "special characters" onkeyup.

EDIT: and that function is part of a huge bunch of script on the page! In the middle of that bunch (those bunches?) there are chunks of commented out scripts. Obviously page speed is not a priority for these guys...




Android user, software developer, a semi-typical (not a gamer) geek, and a Bernese Mountain Dog nut!

http://savitarbernese.com | https://nz.linkedin.com/in/danywu

2940 posts

Uber Geek
+1 received by user: 428

Trusted
Subscriber

  Reply # 693929 1-Oct-2012 10:07
Send private message

dpw: Well, in the search box near the top of the page it actually removes "special characters" onkeyup.

EDIT: and that function is part of a huge bunch of script on the page! In the middle of that bunch (those bunches?) there are chunks of commented out scripts. Obviously page speed is not a priority for these guys...


Aw crud.  It only bounces you to the 404 not found page if there's one apostrophe.  If there's two apostrophes, the input is accepted.  Methinks that 404 not found page is also the default error page for... oh, I don't know... SqlException?

20882 posts

Uber Geek
+1 received by user: 4094

Trusted
Subscriber

  Reply # 693933 1-Oct-2012 10:12
Send private message

Password length is 19 chars max, yet the field is 20 chars long.

Didnt like some characters in it.

Already looking like a failure at that point.

edit:

registered, took the confirmation number that I was emailed, and now everytime I log in I just get sent to

https://www.wheedle.co.nz/Views/Shared/404.aspx

and am not logged in.




Richard rich.ms

437 posts

Ultimate Geek
+1 received by user: 9
Inactive user


  Reply # 693940 1-Oct-2012 10:28
Send private message

I really hope that Wheedle read this page and actually hire some developers who know what they're doing (instead of truck drivers copying and pasting..??) There needs to be decent competition to TM and I was hoping this would be it Embarassed

2940 posts

Uber Geek
+1 received by user: 428

Trusted
Subscriber

  Reply # 693944 1-Oct-2012 10:31
Send private message

richms: Password length is 19 chars max, yet the field is 20 chars long.

Didnt like some characters in it.

Already looking like a failure at that point.

edit:

registered, took the confirmation number that I was emailed, and now everytime I log in I just get sent to

https://www.wheedle.co.nz/Views/Shared/404.aspx

and am not logged in.




Is there an apostrophe in your password?  If so, you're causing an SqlException when you log in.  Otherwise, you're causing some other kind of Exception.

Mad Scientist
18104 posts

Uber Geek
+1 received by user: 2268

Trusted
Lifetime subscriber

  Reply # 693945 1-Oct-2012 10:34
Send private message

err ... fail of the year! haha - i share sam morgan's sentiments now!

Mad Scientist
18104 posts

Uber Geek
+1 received by user: 2268

Trusted
Lifetime subscriber

  Reply # 693946 1-Oct-2012 10:35
Send private message

mind you there is still a way to recover this ... but if they spent X millions creating this legless piece of wood ... the need to spend another 2-10x more to beat TM!

20882 posts

Uber Geek
+1 received by user: 4094

Trusted
Subscriber

  Reply # 693952 1-Oct-2012 10:37
Send private message

Kyanar:

Is there an apostrophe in your password?  If so, you're causing an SqlException when you log in.  Otherwise, you're causing some other kind of Exception.


Nope, just 19 chars of mixed upper, lower and numerics

Heres some more gems I have found.



The password.



messed up layout or something



Someone not happy with being logged in as someone else.




Richard rich.ms

20882 posts

Uber Geek
+1 received by user: 4094

Trusted
Subscriber

  Reply # 693956 1-Oct-2012 10:41
Send private message

So since it looks like they are chanign the search terms with javascript to remove things they dont like, has someone tried this yet? http://xkcd.com/327/




Richard rich.ms

1609 posts

Uber Geek
+1 received by user: 724


  Reply # 693958 1-Oct-2012 10:42
Send private message

Another case of corporate marketing deadlines exceeding realistic delivery timeframes.




Don't use 'beefstew' as a password.  It's not stroganoff.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | ... | 36
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Amazon launches the International Shopping Experience in the Amazon Shopping App
Posted 19-Apr-2018 08:38

Spark New Zealand and TVNZ to bring coverage of Rugby World Cup 2019
Posted 16-Apr-2018 06:55

How Google can seize Microsoft Office crown
Posted 14-Apr-2018 11:08

How back office transformation drives IRD efficiency
Posted 12-Apr-2018 21:15

iPod laws in a smartphone world: will we ever get copyright right?
Posted 12-Apr-2018 21:13

Lightbox service using big data and analytics to learn more about customers
Posted 9-Apr-2018 12:11

111 mobile caller location extended to iOS
Posted 6-Apr-2018 13:50

Huawei announces the HUAWEI P20 series
Posted 29-Mar-2018 11:41

Symantec Internet Security Threat Report shows increased endpoint technology risks
Posted 26-Mar-2018 18:29

Spark switches on long-range IoT network across New Zealand
Posted 26-Mar-2018 18:22

Stuff Pix enters streaming video market
Posted 21-Mar-2018 09:18

Windows no longer Microsoft’s main focus
Posted 13-Mar-2018 07:47

Why phone makers are obsessed with cameras
Posted 11-Mar-2018 12:25

New Zealand Adopts International Open Data Charter
Posted 3-Mar-2018 12:48

Shipments tumble as NZ phone upgrades slow
Posted 2-Mar-2018 11:48


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.