Many years ago I worked for a company who was a Microsoft certified partner. This was a long long time ago and I must admit that back then I was quite impressed by the fact that they were Microsoft certified partners… until I started working there. Redmond hands out certifications like a crack whore hands out cheap tricks — indiscriminately and to anyone who’s willing to pay fifty bucks.
Needless to say, this morning I was reading my gmail when I saw an ad for a “Microsoft GOLD Certified Development Partner based in Cape Town” and being the sado-masochist I am I clicked on the link… it was one of those /showpage.aspx?page_id=36 sort of sites. Ugly, but not necessarily dodgy. I put an apostrophe in the page id to see if they were cleaning their inputs and behold:
Line 166: Octigon.Octane8.Containers.Page tempPage = this._page;
Line 167:
Line 168: while (tempPage.Id != 1)
Line 169: {
Line 170: if (tempPage.Parent.Id == 1)
This shows that the site is vulnerable to sql injection… which, while not necessarily implying that the site can be hacked, does imply that, given enough time, you probably could hack it or at least cause some damage. The page also pukes out all kinds of file paths and stuff that would be useful if you were trying to do them harm.
The point here is this. Why is a web development company who are obviously bad web developers Microsoft Gold Certified?
The answer can only be that Gold Certification means absolutely nothing.
arbitraryuser 