Page 1 of 1

Need guru eyes to check for security holes here

Posted: Thu Jun 25, 2009 11:22 am
by bulgin
We will soon be implementing an internal auditing mechanism which uses email alerts for certain events. I've settled on the following code and would appreciate any feedback from the group on any obvious MySQL errors or flaws that my eyes may have missed. I am particularly keen on knowing if the last MySQL update statement would in fact be alright for a system that may have thousands of entries in the tables.

Thanks in advance.

Code: Select all

<?php
include 'config.php';
include 'opendb.php';
 
 
$mailer = mysql_query("SELECT substring( web1_access_log.request_uri, 9 ) , 
web1_access_log.sent_or_not_sent, 
web1_access_log.request_time, 
timestampadd(hour,4,from_unixtime(web1_access_log.time_stamp)) AS real_time, 
web1_access_log.remote_host, 
web1_access_log.id, 
access1.access1_subject, 
timestampadd(hour,4,from_unixtime(access1.real_epoch_time)) AS time_date ,
access1.access1_widget, 
access1.access1_monitored_email, 
access1.access1_alert_email_address
 
FROM web1_access_log JOIN access1 ON substring( web1_access_log.request_uri, 9 ) = access1.access1_widget 
where web1_access_log.sent_or_not_sent = '0'") or die (mysql_error());
 
while($user = @mysql_fetch_array($mailer)){
$original_time=$user[time_date];
$id=$user[id];
$time=$user[real_time];
$ip=$user[remote_host];
$to=$user[access1_alert_email_address];
$subject="Alert";
$original_subject=$user[access1_subject];
$monitored_account=$user[access1_monitored_email];
$body="On " .$time. " UTC, there was a violation from IP address " . $ip . ".\n" . "Subject line of Mail: " ."\"" . $original_subject ."\""."\n". "This message was originally created on ".$original_time." UTC." . "\n" ."Account: " .$monitored_account. "\n" .  "Our internal reference ID:" .$id;
mail($to,$subject,$body) ; 
 
 
mysql_query("UPDATE web1_access_log, access1 set web1_access_log.sent_or_not_sent = 1 where substring( web1_access_log.request_uri, 9 ) = access1.access1_widget") or die (mysql_error());
}
 
?>

Re: Need guru eyes to check for security holes here

Posted: Thu Jun 25, 2009 11:59 am
by kaisellgren
Who has the power to manipulate 'access1_alert_email_address' field?

Re: Need guru eyes to check for security holes here

Posted: Thu Jun 25, 2009 1:10 pm
by bulgin
kaisellgren wrote:Who has the power to manipulate 'access1_alert_email_address' field?
That value is set by a web page interface and running apache2 as www-data pid and the field can only be set and changed by www-data.

I hope that answers the question. Of course, on the server which only has two users, root and www-data, it can be manipulated and changed via phpmyadmin.

Re: Need guru eyes to check for security holes here

Posted: Thu Jun 25, 2009 1:15 pm
by kaisellgren
I'm interested in knowing who (a person) could possibly alter it - e.g. through an interface? If only the site owner(s) can do it, then I see no problems.

Re: Need guru eyes to check for security holes here

Posted: Thu Jun 25, 2009 1:32 pm
by bulgin
Thanks for you help. Only site owner can alter it.