Skip to main content

It's Like the Olympics - But Steroids Are Allowed

1 month 2 weeks ago
"Think Olympics on steroids. Literally," quips the BBC, describing Sunday's controversial Enhanced Games event in Las Vegas featuring dozens of athletes "using performance-enhancing drugs to try and break world records in track, weightlifting and swimming. Some $25m (£18.6m) in prize money is up for grabs — with cash prizes for winners... The drugs they use must be legal, and approved by the Federal Drug Administration. But substances like testosterone and human growth hormone — banned by the World Anti-Doping Agency — are not only celebrated here, they're encouraged and for sale... Health experts warn that anabolic steroids and growth hormones can cause strokes and cardiovascular damage, among other risks. Event organisers claim Enhanced will push the limits of human performance while critics, especially in the Olympic movement, dismiss it as an affront to the spirit and founding principles of competitive sport... Earlier this month, the Enhanced Group — the company behind the competition — began trading on the New York Stock Exchange. And the competition is seemingly being treated as an opportunity for Enhanced to sell performance-enhancing medicine and supplements online. "The project was founded by entrepreneurs Aron D'Souza and Maximilian Martin in 2023," the artidcle points out, "and has attracted backing from prominent investors including billionaire Peter Thiel and Donald Trump Jr." And NPR adds that "Most of the participating athletes trained for the competition in Abu Dhabi, as part of Enhanced's own study." Enhanced did not break down what specific athletes used which drugs, but they announced on Wednesday in the lead-up to the event that 91% of the athletes competing used testosterone or testosterone esters, 79% used human growth hormone, and 62% used stimulants, such as adderall... The games have been largely panned by outside medical experts and sports governing bodies. Multiple recent studies assess the harm surrounding the Enhanced Games. Travis Tygart, the CEO of the U.S. Anti-Doping Agency, called the games a "dangerous clown show that puts profit over principle" in a statement. The International Olympic Committee said the games are a "betrayal of everything that we stand for." The World Anti-Doping Agency (WADA) last year urged U.S. authorities to stop the games. The International Federation of Sports Medicine said in 2024 that they see the medical oversight as "insufficient" to support the athletes.

Read more of this story at Slashdot.

EditorDavid

CodeSOD: Classic WTF: One-and-a-Half-Tiered Application Design

1 month 2 weeks ago
It's a holiday in the US today, so we're reaching back into the archives. What we really need is a single function that can do it all, and by "it" we mean "ruin your life." Original --Remy

There are several types of bad code; there's lazy code, frantic code, unaware-of-a-better-way code, and aware-of-a-better-way-but-too-apathetic-to-do-it code, to name a few. Then there're amalgamations of different types of bad code.

Môshe encountered such an amalgam when his company was trying out a new delivery service. Môshe spent some time evaluating the IE-only web interface, and was curious about some JavaScript errors he was getting. Strangely, he noticed variables named dateSQL, newSQLTag, and modeSQL.

Môshe dug a little deeper, probably thinking that his suspicions couldn't possibly be correct, only to find sendLinkVal() in the page's code:

function sendLinkVal(theDate,theStatus,MainTitle,PageTitle){ var dateSQL = " AND J.JBDeliveryDate=''" + theDate + "''" var status = "" var newSQLTag ="" var PageTitle = PageTitle var MainTitle = MainTitle //alert(dateSQL) switch (theStatus){ case "Confirmed": dateSQL= "" var modeSQL = "" modeSQL = " AND (J.JBCompanyID=31337) " status = " GlobalJobStatusView AS J WHERE J.JBCollectDate='' " + theDate + "'' AND J.JBConfirmed=''Yes'' AND J.MIStatusCode<>5" + modeSQL + " AND (ISNULL(J.JBCancelled, 0) <> 1) ORDER BY Convert(int, J.MIJobID)" break; case "Unconfirmed": dateSQL= "" var modeSQL = "" modeSQL = " AND (J.JBCompanyID=31337) " status = " GlobalJobStatusView AS J WHERE J.JBCollectDate='' " + theDate + "'' AND J.JBConfirmed=''No''" + modeSQL + " ORDER BY Convert(int, J.MIJobID)" break; case "Complete": dateSQL= "" var modeSQL = "" modeSQL = " AND (J.JBCompanyID=31337) " status = " GlobalJobStatusView AS J WHERE J.JBCollectDate='' " + theDate + "'' AND J.MIStatusCode=5" + modeSQL + " ORDER BY Convert(int, J.MIJobID)" break; case "Unconformed": dateSQL= "" var modeSQL = "" modeSQL = " AND (J.JBCompanyID=31337) " status = " GlobalJobStatusView AS J WHERE J.JBCollectDate='' " + theDate + "'' AND (J.MIConformance IS NOT NULL AND J.MIConformance<>'''') " + modeSQL + " ORDER BY Convert(int, J.MIJobID)" break; case "NoDelDate": dateSQL= "" var modeSQL = "" modeSQL = " AND (J.JBCompanyID=31337) " dateSQL =" GlobalJobStatusView AS J WHERE J.JBDeliveryDate IS NULL " + modeSQL + " ORDER BY Convert(int, J.MIJobID) " break; case "Collections": // the dateSQL is not required so set it to nothing so that it // doesn't interfere with the sql being generated at the end of // the function. dateSQL= "" var modeSQL = "" modeSQL = " AND (J.JBCompanyID=31337) " status = " GlobalJobStatusView AS J WHERE J.JBCollectDate='' " + theDate + "''" + modeSQL + " ORDER BY Convert(int, J.MIJobID)" break; case "Deliveries": // the dateSQL is not required so set it to nothing so that it // doesn't interfere with the sql being generated at the end of // the function. dateSQL= "" var modeSQL = "" modeSQL = " AND (J.JBCompanyID=31337) " status = " GlobalJobStatusView AS J WHERE J.JBDeliveryDate='' " + theDate + "''" + modeSQL + " ORDER BY Convert(int, J.MIJobID)" break; case "ColAndDel": // the dateSQL is not required so set it to nothing so that it // doesn't interfere with the sql being generated at the end of // the function. dateSQL= "" var modeSQL = "" modeSQL = " AND (J.JBCompanyID=31337) " status = " GlobalJobStatusView AS J WHERE ((J.JBDeliveryDate='' " + theDate + "'') OR (J.JBCollectDate=''" + theDate + "''))" + modeSQL + " ORDER BY Convert(int, J.MIJobID)" break; case "Subcontractor": // the dateSQL is not required so set it to nothing so that it // doesn't interfere with the sql being generated at the end of // the function. dateSQL= "" var modeSQL = "" modeSQL = " AND (J.JBCompanyID=31337) " status = " JobAndLoadView AS J WHERE (J.JBDeliveryDate='' " + theDate + "'') " + modeSQL + " ORDER BY Convert(int, J.MIJobID)" break; case "Cancelled": // the dateSQL is not required so set it to nothing so that it // doesn't interfere with the sql being generated at the end of // the function. dateSQL= "" var modeSQL = "" modeSQL = " AND (J.JBCompanyID=31337) " status = " GlobalJobStatusView AS J WHERE (J.JBCollectDate=='' " + theDate + "'') " + modeSQL + " AND ISNULL(J.JBCancelled, 0) = 1 ORDER BY Convert(int, J.MIJobID)" break; default : status =""; } newSQLTag = dateSQL + status; document.all.hiddenForm.linkVal.value = newSQLTag; document.all.hiddenForm.PageTitle.value = PageTitle document.all.hiddenForm.MainTitle.value = MainTitle document.all.hiddenForm.submit(); //alert(newSQLTag) }

Môshe could replace his customer ID with any other and access customer data, and for that matter, to modify or delete whatever he wanted. He could add or remove columns to tables. He could possibly even change permissions, add his own database user and deny all other users access.

Shocked, Môshe called the delivery service, who got him in touch with the developer of the system. This developer was equally shocked to learn that it was even possible to view a web page's JavaScript code, let alone that his architecture was open to SQL injection attacks from virtually any angle. He took immediate and decisive action; all queries were moved to the .NET backend.

Of course, the queries still didn't use parameters and are therefore still open to SQL injection, but now it takes slightly more effort to hack.

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.
Jake Vinson