[kwlug-disc] KWLUG error and security issue

Khalid Baheyeldin kb at 2bits.com
Tue Mar 2 22:24:18 EST 2010 

On Tue, Mar 2, 2010 at 9:55 PM, unsolicited <unsolicited at swiz.ca> wrote:

> Interestingly, given the thread, clicking on the link gives me access
> denied, as expected, but also another error.
>
> Access denied


I see the access denied, which is normal since this is an /admin page.

user warning: Table 'accesslog' is marked as crashed and should be repaired
> query: INSERT INTO accesslog (title, path, url, hostname, uid, sid, timer,
> timestamp) values('Regular Expressions', 'node/664', '', '<my ip address>',
> 0, '2c2034631a60a1d6715ac49c1378c9d8', 508, 1267540439) in
> /u2/home/kwlugor/public_html/includes/database.mysql.inc on line 172.
>

I don't see this message.


> You are not authorized to access this page.
>
> Correct me if I'm wrong, and perhaps only once in syslog, but shouldn't
> throws like this be able to kick a notification e-mail off (if set up)?
>

In theory, anything that works off logs is possible. Be it email, pager, txt
msg, ...etc.

I get the noise level issue. But if such errors are thrown seldom enough
> that they were a surprise to Paul, perhaps it won't be too noisy?
>

> I guess the real question is, when thrown, how broken is the site / how
> quickly is a response/repair really needed? In our case. YMMV, I suppose.
>

Depends on the table that is broken. In this case, the accesslog table
contains just historical info used for "nice to have" features. But if it is
a more crucial table, e.g. node or users, then things will be more broken
than this.

FWIW, never seen such errors on the site, myself, before.
>

The only time I see these errors is when the server is restarted and MySQL
has no chance to write its buffers to disk or something like that. Can't
tell if this is the case with that error or not.

>
> Khalid Baheyeldin wrote, On 03/02/2010 8:46 PM:
>
>> On Tue, Mar 2, 2010 at 7:55 PM, Paul Nijjar <paul_nijjar at yahoo.ca<mailto:
>> paul_nijjar at yahoo.ca>> wrote:
>>
>>    On Tue, Mar 02, 2010 at 10:35:12AM -0500, Khalid Baheyeldin wrote:
>>     > Paul or someone with ssh access. Do this:
>>     >
>>     > # mysql dbname
>>     > mysql > repair table accesslog;
>>     >
>>     > That should fix this problem.
>>
>>    I assume this output is okay?
>>
>>    mysql> repair table accesslog;
>>
>>  +---------------------------+--------+----------+------------------------------$
>>    | Table                     | Op     | Msg_type | Msg_text
>>            $
>>    |
>>
>>  +---------------------------+--------+----------+------------------------------$
>>    | db.accesslog | repair | warning  | Number of rows changed
>>    from 500179 to 500184 |
>>    | db.accesslog | repair | status   | OK                           $
>>    |
>>
>>  +---------------------------+--------+----------+------------------------------$
>>    2 rows in set (41.84 sec)
>>
>>
>> Yes. Table is repaired.
>>
>>    Stupid question time: if errors are not verbose, then how will we know
>>    that they are happening? I log into the site about once a month. If I
>>    bother to look at
>>
>>    http://kwlug.org/admin/logs/watchdog
>>
>>    then I see the errors, but unless the site admins can somehow get
>>    notified
>>    when these bad things happen it's almost better if users see the errors
>>    and report them, no? Many eyes make shallow bugs and all that?
>>
>>
>> Good question, and depends on how the site is managed.
>>
>> I don't think a message with a SQL error is a security risk per se.
>> Annoying?
>> Yes. Too much info? Yes. But it does not open any new holes.
>>
>> In this case, because no one checks daily, then it may be best to put it
>> back
>> to what it was, and hope some one sees it sooner, like what happened.
>>
>> Another thing you can do is install the watchdog patch from here
>> http://drupal.org/node/149341 which makes Drupal 5 behave like Drupal 6
>> in logging. This means you can enable the syslog module and have all
>> the watchdog stuff go to flat files, and then use your favorite log parser
>> (tenshi, logwatch) or one of John V's regexps to filter the noise out and
>> email you daily the odd stuff.
>> --
>> Khalid M. Baheyeldin
>> 2bits.com <http://2bits.com>, Inc.
>>
>> http://2bits.com
>> Drupal optimization, development, customization and consulting.
>> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
>> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> kwlug-disc_kwlug.org mailing list
>> kwlug-disc_kwlug.org at kwlug.org
>> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>>
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>



-- 
Khalid M. Baheyeldin
2bits.com, Inc.
http://2bits.com
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20100302/b0cba2fa/attachment.htm>

More information about the kwlug-disc mailing list