I nominate the University of Sydney for "Downtime Notice Of The Year 2012"



  • They have just been hit by a tidal wave of traffic after making the front page of Reddit with an article about how everybody is pretty sick of Facebook.

    For some reason, they have deigned to take this opportunity to print_r their database access credentials in their 503 downtime notice. Their MySQL hostname, username and password are exposed by this, along with a few tidbits of information about the directory structure of the web server and the names of their database tables.

    Presumably somebody has left a debug print_r in there to output details of any failed queries. Normally it's fine, but now that the database is browned out, everything gets printed to everyone right at the moment they're getting the most traffic. Here is my favourite query:

    
    SELECT * FROM `()`
    


  • As I continue to stare in disbelief at this stack trace, I'm starting to build up a mental picture of the amount of WTF that resides in this codebase. For example, the misspelled "persistant" attribute of the MySQLDatabase class. And the mysterious "load_definesymbols" function.

    And by the way, what is it with highly-experienced professional PHP software engineers and inventing their own file suffixes? I swear I see this in literally every bespoke PHP codebase I encounter. In this case they've gone with ".lib", presumably to differentiate their high quality reusable code from your typical 1000 line procedural page generator PHP script. But I've come across things like .inc, .class, .tpl, or even .class.php in various different places.


  • Winner of the 2016 Presidential Election

    It's been over a decade since my PHP days, but changing the file extension and .htaccess was a cheap-and-dirty way to stop Apache from serving up PHP files that should never be hit directly. It also helped to differentiate the purpose of the files. Note: I'm not defending this practice.



  • "Presumably somebody has left a debug print_r in there to output details of any failed queries."

    Seems perfectly reasonable. After all, it will be fully tested before going live, so there's no chance that this code will ever get executed in production.



  • Well their database is emptied-out by now. Hope they had backups.

    I took a screenshot for posterity in case their website 100% fails.



  • @GNU Pepper said:

    Presumably somebody has left a debug print_r in there to output details of any failed queries.
     

    I. Just. I -- what?

    Doesn't PHP at least have the concept of "only output debug commands to certain IP/subnets that are local to the server?" or something like that?

    The questions-- I-- w-- when? Brain can't focus on the 5 Ws. Ack!



  • @blakeyrat said:

    Well their database is emptied-out by now. Hope they had backups.

    I took a screenshot for posterity in case their website 100% fails.

    Is there an MySQL version of  xp_cmdshell?  If so, I'm sure their webserver is emptied out now. Possibly anything attached to the server, too.

     



  • Well we know for sure at least one PHP file remains, haha.

    IIRC back in the day PHP did have some sort of shell_exec() function, but whether it's still enabled I have no clue. (Considering this WTF, these clowns might have gone out of their way to turn it back on.)



  • @Lorne Kates said:

    Doesn't PHP at least have the concept of "only output debug commands to certain IP/subnets that are local to the server?" or something like that?

    If it does (I honestly have no idea) it's almost certainly off by default and poorly documented.

    With PHP, the question is not Does feature X exist in PHP? but rather Does any PHP developer know that feature X exists in PHP? PHP's documentation is so awful, and there's such a wealth of incredibly bad example code easily found on Google, that it doesn't really matter if a good way of doing something exists — the bad ways are almost always more discoverable and easier to implement.



  • Did you perhaps mean the backtick syntax that runs a string using the shell after doing normal variable replacements?

    That's a language feature and is not gonna get deprecated or removed, since it does exactly what it was designed and the design has no flaws.



  • @Lorne Kates said:

    Doesn't PHP at least have the concept of "only output debug commands to certain IP/subnets that are local to the server?" or something like that?

    No, it doesn't - there is no way to restrict the output of print_r() or even the PHP notice/warnings/errors etc without some if() statements...

    Personally, I like the fact that their database server, erp-db-pro-1.ucc.usyd.edu.au, resolves on their public DNS server to [b]172.20[/b].9.1...



  • @bezking said:

    Personally, I like the fact that their database server, erp-db-pro-1.ucc.usyd.edu.au, resolves on their public DNS server to 172.20.9.1...
     

    Why did you bold the first half of that IP address? Is there something significant about that subnet that we ought to recognize when we see it?



  • @Mason Wheeler said:

    @bezking said:

    Personally, I like the fact that their database server, erp-db-pro-1.ucc.usyd.edu.au, resolves on their public DNS server to 172.20.9.1...
     

    Why did you bold the first half of that IP address? Is there something significant about that subnet that we ought to recognize when we see it?

     

     

    From RFC 1918

     

    3. Private Address Space

    The Internet Assigned Numbers Authority (IANA) has reserved the
    following three blocks of the IP address space for private internets:

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)</pre><p>&nbsp;</p><p>&nbsp;</p>


  • @Mason Wheeler said:

    @bezking said:

    Personally, I like the fact that their database server, erp-db-pro-1.ucc.usyd.edu.au, resolves on their public DNS server to 172.20.9.1...
     

    Why did you bold the first half of that IP address? Is there something significant about that subnet that we ought to recognize when we see it?

    RFC1918?



  • @Mason Wheeler said:

    Why did you
     

    .. nope. Too obvious.

    Move along. Nothing to see.



  •  Oh, so that's why my work's servers all begin with those numbers. I see.



  • Morons! Everyone knows you wrap your debugging output in HTML comments!

    (the source is nicely formatted, anyway)



  • @Someone You Know said:

    there's such a wealth of incredibly bad example code easily found on Google, that it doesn't really matter if a good way of doing something exists — the bad ways are almost always more discoverable and easier to implement.

    It's this. Here's the proof. The first Google search result for "php mysql tutorial" is your classic terrible "webmaster tutorials" website and inadvertently teaches visitors how to build SQL injection vulnerabilities:

    
    $first=$_POST['first'];
    $last=$_POST['last'];
    $phone=$_POST['phone'];
    $mobile=$_POST['mobile'];
    $fax=$_POST['fax'];
    $email=$_POST['email'];
    $web=$_POST['web'];
    
    mysql_connect(localhost,$username,$password);
    @mysql_select_db($database) or die( "Unable to select database");
    
    $query = "INSERT INTO contacts VALUES ('','$first','$last','$phone','$mobile','$fax','$email','$web')";
    mysql_query($query);

    You can always tell you're dealing with highly-experienced professional PHP software engineers when the webserver bears the number one tell-tale mark of the cowboy.



  • Did you take a screenshot? It's gone now but I'm curious as to what was in the stack trace 😛

    Reminds me of when I saw some print_r debugging on one of the biggest news sites in Australia (news.com.au). The University of Sydney one is a lot worse though.



  • @bezking said:

    @Lorne Kates said:
    Doesn't PHP at least have the concept of "only output debug commands to certain IP/subnets that are local to the server?" or something like that?

    No, it doesn't - there is no way to restrict the output of print_r() or even the PHP notice/warnings/errors etc without some if() statements...

    Uh.. Yes there is (for warnings at least). Print_r is the developer wanting to output data. Maybe he shouldn't ahve wanted to output it in this case.. but it was the developers intention.

    As for hiding/showing errors... the common use is to NEVER show errors/warnings/notices on production, potentially to show them on development... and in the case of production to Log them to a file instead. Plus, if you really wanted to get creative, you could actually check for the current status of error reporting. If you are sending stuff to a log, you could trigger_error the print_r and send it to your error log as well.

    Or if you were particularly apt.. not to rely on built-in logging functions (for print_r on DB fail) and build your own logging utility

    Just because PHP is easy to make fun of, doesn't mean that you're correct in your statements.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.