[kwlug-disc] KWLUG error and security issue

unsolicited unsolicited at swiz.ca
Tue Mar 2 21:55:26 EST 2010


Interestingly, given the thread, clicking on the link gives me access 
denied, as expected, but also another error.

Access denied
user warning: Table 'accesslog' is marked as crashed and should be 
repaired query: INSERT INTO accesslog (title, path, url, hostname, 
uid, sid, timer, timestamp) values('Regular Expressions', 'node/664', 
'', '<my ip address>', 0, '2c2034631a60a1d6715ac49c1378c9d8', 508, 
1267540439) in 
/u2/home/kwlugor/public_html/includes/database.mysql.inc on line 172.
You are not authorized to access this page.

Correct me if I'm wrong, and perhaps only once in syslog, but 
shouldn't throws like this be able to kick a notification e-mail off 
(if set up)?

I get the noise level issue. But if such errors are thrown seldom 
enough that they were a surprise to Paul, perhaps it won't be too noisy?

I guess the real question is, when thrown, how broken is the site / 
how quickly is a response/repair really needed? In our case. YMMV, I 
suppose.

FWIW, never seen such errors on the site, myself, before.

Khalid Baheyeldin wrote, On 03/02/2010 8:46 PM:
> On Tue, Mar 2, 2010 at 7:55 PM, Paul Nijjar <paul_nijjar at yahoo.ca 
> <mailto:paul_nijjar at yahoo.ca>> wrote:
> 
>     On Tue, Mar 02, 2010 at 10:35:12AM -0500, Khalid Baheyeldin wrote:
>      > Paul or someone with ssh access. Do this:
>      >
>      > # mysql dbname
>      > mysql > repair table accesslog;
>      >
>      > That should fix this problem.
> 
>     I assume this output is okay?
> 
>     mysql> repair table accesslog;
>     +---------------------------+--------+----------+------------------------------$
>     | Table                     | Op     | Msg_type | Msg_text          
>               $
>     |
>     +---------------------------+--------+----------+------------------------------$
>     | db.accesslog | repair | warning  | Number of rows changed
>     from 500179 to 500184 |
>     | db.accesslog | repair | status   | OK                           $
>     |
>     +---------------------------+--------+----------+------------------------------$
>     2 rows in set (41.84 sec)
> 
> 
> Yes. Table is repaired.
>  
> 
>     Stupid question time: if errors are not verbose, then how will we know
>     that they are happening? I log into the site about once a month. If I
>     bother to look at
> 
>     http://kwlug.org/admin/logs/watchdog
> 
>     then I see the errors, but unless the site admins can somehow get
>     notified
>     when these bad things happen it's almost better if users see the errors
>     and report them, no? Many eyes make shallow bugs and all that?
> 
> 
> Good question, and depends on how the site is managed.
> 
> I don't think a message with a SQL error is a security risk per se. 
> Annoying?
> Yes. Too much info? Yes. But it does not open any new holes.
> 
> In this case, because no one checks daily, then it may be best to put it 
> back
> to what it was, and hope some one sees it sooner, like what happened.
> 
> Another thing you can do is install the watchdog patch from here
> http://drupal.org/node/149341 which makes Drupal 5 behave like Drupal 6
> in logging. This means you can enable the syslog module and have all
> the watchdog stuff go to flat files, and then use your favorite log parser
> (tenshi, logwatch) or one of John V's regexps to filter the noise out and
> email you daily the odd stuff.
> -- 
> Khalid M. Baheyeldin
> 2bits.com <http://2bits.com>, Inc.
> http://2bits.com
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org



More information about the kwlug-disc_kwlug.org mailing list