Need guru eyes to check for security holes here

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
bulgin
Forum Commoner
Posts: 29
Joined: Wed Feb 11, 2009 8:47 pm

Need guru eyes to check for security holes here

Post by bulgin »

We will soon be implementing an internal auditing mechanism which uses email alerts for certain events. I've settled on the following code and would appreciate any feedback from the group on any obvious MySQL errors or flaws that my eyes may have missed. I am particularly keen on knowing if the last MySQL update statement would in fact be alright for a system that may have thousands of entries in the tables.

Thanks in advance.

Code: Select all

<?php
include 'config.php';
include 'opendb.php';
 
 
$mailer = mysql_query("SELECT substring( web1_access_log.request_uri, 9 ) , 
web1_access_log.sent_or_not_sent, 
web1_access_log.request_time, 
timestampadd(hour,4,from_unixtime(web1_access_log.time_stamp)) AS real_time, 
web1_access_log.remote_host, 
web1_access_log.id, 
access1.access1_subject, 
timestampadd(hour,4,from_unixtime(access1.real_epoch_time)) AS time_date ,
access1.access1_widget, 
access1.access1_monitored_email, 
access1.access1_alert_email_address
 
FROM web1_access_log JOIN access1 ON substring( web1_access_log.request_uri, 9 ) = access1.access1_widget 
where web1_access_log.sent_or_not_sent = '0'") or die (mysql_error());
 
while($user = @mysql_fetch_array($mailer)){
$original_time=$user[time_date];
$id=$user[id];
$time=$user[real_time];
$ip=$user[remote_host];
$to=$user[access1_alert_email_address];
$subject="Alert";
$original_subject=$user[access1_subject];
$monitored_account=$user[access1_monitored_email];
$body="On " .$time. " UTC, there was a violation from IP address " . $ip . ".\n" . "Subject line of Mail: " ."\"" . $original_subject ."\""."\n". "This message was originally created on ".$original_time." UTC." . "\n" ."Account: " .$monitored_account. "\n" .  "Our internal reference ID:" .$id;
mail($to,$subject,$body) ; 
 
 
mysql_query("UPDATE web1_access_log, access1 set web1_access_log.sent_or_not_sent = 1 where substring( web1_access_log.request_uri, 9 ) = access1.access1_widget") or die (mysql_error());
}
 
?>
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Need guru eyes to check for security holes here

Post by kaisellgren »

Who has the power to manipulate 'access1_alert_email_address' field?
bulgin
Forum Commoner
Posts: 29
Joined: Wed Feb 11, 2009 8:47 pm

Re: Need guru eyes to check for security holes here

Post by bulgin »

kaisellgren wrote:Who has the power to manipulate 'access1_alert_email_address' field?
That value is set by a web page interface and running apache2 as www-data pid and the field can only be set and changed by www-data.

I hope that answers the question. Of course, on the server which only has two users, root and www-data, it can be manipulated and changed via phpmyadmin.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Need guru eyes to check for security holes here

Post by kaisellgren »

I'm interested in knowing who (a person) could possibly alter it - e.g. through an interface? If only the site owner(s) can do it, then I see no problems.
bulgin
Forum Commoner
Posts: 29
Joined: Wed Feb 11, 2009 8:47 pm

Re: Need guru eyes to check for security holes here

Post by bulgin »

Thanks for you help. Only site owner can alter it.
Post Reply