Wednesday, July 21, 2004

IntraLearn "Encrption.txt (sic)"

IntraLearn users:

You have been f***ed.

Any doubt?

Below is the text of Encrption.txt, which can be found in the cgi-bin directory of any IntraLearn port. (May have been removed in post 3.5 installs)
---------------------Encrption.txt----------------------------
Two files namely

reports/create_order.cfm
reports/repogen1.cfm

has been encrypted prior to version 2.3 and the source code is not available for the same. When encryting Intralearn, make sure to remove these two files before running cfencode.

Syntax for cfencode

cfencode directorypath/*.cfm /r /v "1"
---------------------Encrption.txt----------------------------


You see, Cold Fusion lets you encrypt your CFM files so your users can't view the source code. This prevents your clients from making unauthorized changes to the product.

IntraLearn lost the source code part of their product, then left the above text file stating as much on their distribution CDs.

The funny thing is (Aside from the fact that they can't spell "encryption") is that the cfdecrypt utility was around a couple years before IntraLearn hit version 2.6. They never bothered to do a google search.

A quick note to anyone looking for cfdecrypt. As of this writing, the first hit is for a web interface to the utility. There is a compiled, command line Windows binary available.

I wish I'd noticed the file ages ago. I could have e-mailed them the decrypted files back when they would have been useful.

Let your mind wander over the implications of a company losing source code to files they continue to distribute. Feel free to take into account the detail that their QA didn't catch the fact that they left an admission of this error in their distribution files.

Let's all hope the last person to work on those files wasn't building any back doors.

Fortunately, the back doors I found after decrypting their source no longer functioned. I don't know if they explicitly removed them, or if other changes to the code happened to break them.

And if you're from IntraLearn, don't worry, I'm not going to post the user names and passwords you hard coded into your "product."

1 comment:

Anonymous said...

Do you have any more information on problems with IntraLearn? I'm having issues with them and would like to hear what others have experienced when working with them.