I find myself thinking "wow, what an obvious bug. How did Microsoft not catch that?" but then I think back to some of my own extremely obvious bugs. Thankfully my code is much lower impact.

▲

btreecat 5 days ago | parent [-]

I still think of the lessons learned from a root traverse bug I accidentally coded into one of our internal apps as a jr dev.

You could change the URL of the image, and get any file off the system to download as long as the service account had read access.

Invaluable XP, and really glad everything was behind AD authentication and internal users were trustworthy enough and operating in a network isolated context.

▲

globular-toast 5 days ago | parent | next [-]

Yeah, having learnt very similar (if not the same) lessons myself the hard way I see great value in being able to fail badly, but with low stakes. I catch loads of bugs like these from jrs before they hit prod but I don't feel like they're learning the fundamentals of security like trust, sanitising inputs, least privilege etc.

▲

lawlessone 5 days ago | parent | prev [-]

sounds like how wordpress used to be. could explore all the folders and get any file of site with something like website.com/content/2010/

▲

privatelypublic 5 days ago | parent [-]

That would be an incorrectly configured http server. Not wordpress.

Things used to be distributed with .htaccess files, but only apache uses them and so that got offloaded on "blame the admin for not following documentation." Forgetting that nobody ever adds such to the docs.

	▲	DaiPlusPlus 3 days ago \| parent [-]
		> That would be an incorrectly configured http server. Not wordpress. Nah, it's WordPress, or more specifically: the sorry state of its community plugins.