While a routine research on net today I went to a security advisory site. I was reminded by this website that how easy it is, for script kiddies to hack into most of the outdated open source apps. It’s not a new thing, but I feel importance of sharing my experience as a web developer. For instance, this website here has got a special section for web apps featuring latest vulnerabilities and potential security compromises: http://milw0rm.com/webapps.php

If one start browsing through it, will easily find everything from File disclosure attacks to SQL injections. And it’s just not that, in most of the reported security issues, people have even published a test script or attacker code which can actually run from anyone’s computer increasing number of possible attackers who are not just aware of the flaw, but are provided with the real tools now, to do what they want with a victim website. I’ve seen many websites went down in huge amount when such vulnerabilities are out in public. One of the biggest vulnerabilities in phpBB, an open source forum, was released few years back. It allowed any attacker to gain shell access to the victim website, and yes, I did tried it on my server before fixing the code. I seen like hundreds of websites went down in a matter of few hours. Later, the flaw was such a big hit to phpBB, that it was named as a worm. You can see BBC news article for stats etc. on it.

My clients ask me, ‘this new open source technology is cool; we would like to go with it. What do you think?’ I often stop and think for a second. Sometimes, I also try to explain them about positive and negative aspects related to it. I know decision to use open source technology will save time and budget anyway, so I keep decision on them most of the time. But I know it’s not as safe as a custom-made app, I believe using something which is accessible to thousands of people comes with its own disadvantages (and advantages too, for that matter).

So should you really stop using Wordpress or Joomla or any other open source tech?

No, and Yes. First, you got to accept a thing. By choosing an open source app, you’re keeping yourself a bit opened for attacks somehow – you have to accept that fact. But some good open source projects like Joomla, Wordpress, phpBB and many other with big communities are more responsive to such attacks, in just few hours when such vulnerability is out in public, they release security updates and have good platform to notify people using them. Sometimes these project owners are informed even before the attack is made public itself. Still, you can’t trust a community if you are handling sensitive data or sensitive operations with your application. I wouldn’t recommend any open source web app to any government institution, never ever for the same reason.

So, Open source with a backup of big community is good enough?

No matter how good a project’s community might be or how bad, in any case, you have to keep your eyes open to such new vulnerabilities. If you’ve just launched an app, and kept it ignored on a server for months, you’re likely to get hacked before any other active website. Remember, a good administration is must when using open source web apps. I highly recommend that either you keep an eye on such alerts or let your developers do the job. Like they say, Prevention is better than cure. Being proactive in preventing an attack is much easier rather than getting back online after your app is compromised because of some vulnerability.

What do we recommend?

• Keep an eye on security updates from project’s website
• Always use the latest stable version of software, and update it timely
• Keep an eye on advisories boards or such website (Best thing, is to create a Google web alert to let you alert when something like this is out)
• Timely Automated backups

If you’re not already doing it, I highly recommend you getting on it from today if you really care about your website. Hope this helps. Thanks for reading.

- Abhimanyu Grover

Every web developers uses mail() and spend some time testing if it is working or mail format is right or not. And when you have a big app which has a lot of emails to test, it can eat up a lot of time in testing.

Many developers use SMTP server running on their local host, others use some sort of complicated script, while others might be dependent on external SMTP servers for testing of outgoing mails from their web app. We were also using some sort of SMTP server for testing our outgoing emails, but if you want to see the best way to do so, here’s this:

Test Mail Server tool

The program listens on localhost on a SMTP port (usually 25, may be changed). All mail sent to this tool is automatically stored and optionally opened with your mail client.

This cool tool will save you extra time opening your mailbox everytime after you carry out an email test or something. It has worked great for me.

I've been looking for a solution to this problem from quite a few days now, and I did find it quite interesting that there's no standard way to do this. So I decided to ask the CakePHP community, while there are many tools available to do the things, but I'm going to share the best solution of all, which is also Cake based. CakePHP has something known as Schema shell, which helps you solving the problem in efficient way.

Let me describe the problem first briefly. There was this comic I saw few days back (can't find it right now), which inspired me to solve this problem. Here goes the text from that cartoon:

Alex: Ok, we're ready, let's sync our work on this project today to show to client.

Rob: Ok sure, let me see the database changes and put it to server.

Alex: Oh yea, let me do it too.

Rob: Hey, I made this change, is it yours? And what about this? Where are you using it?

Alex: Yes-No-Yes-….

Boss: And we're screwed.

That was happening all the time with our team too, before I found this way.

Here's how it works:

1. Setup

Assuming that you already have a working project to implement db versioning on, start command line console from your 'app' directory. And then run 'cake schema help' to make sure you have the shell, or for necessary instructions.

2. Generate first Schema

After you see it working fine, lets output our whole DB structure into a dump file, it's not SQL dump file, its schema file which is in Cake-friendly format. You can play with other commands like 'schema view' to make sure things works. Ok, let's generate our schema with 'cake schema generate'.

Ok, schema.php generated, it would be inside your app/config/sql

Here's how the file will look:

Looks good (with the sample db). Now as you have a file for the whole database, you can put it in a repository under version control along with your project.

3. Update Schema

Since, there will be changes in database throughout the development of the project, and they will be done by many other developers. We'll need to keep a track of it, to do so, we'll make sure schema files remains updated always – this is something you'll have to instruct your team about.

Let's make a sample change and see how it goes. In my users table, I am going to add a new field called 'password' and then regenerate my schema file.

ALTER TABLE `users` ADD `password` VARCHAR( 20 ) NOT NULL ;

Lets regenerate schema now:

CakePHP's Schema shell had detected the change automatically, and prompted me if I want to over-write the current schema or snapshot it (create a new one). In my case, I want to overwrite it as I already have it in version control. Let's see what new schema looks like:

You see the 'password' field was reflected here as well. Now you can keep your whole DB structure under this schema file with version controlling. However, we've yet to sync the database across different machines. Let's say after updating (svn up) on my local setup, I got a new schema which I would like to implement on my database. Here's how you'll do that in next step.

4. Syncing

Let's assume the other user has added a field 'address' in his database, and regenerated the schema. Now I want same change to reflect on my local database. Here's new updated schema looks like (it's only a part of the schema.php file):

Now there are normally 2 options to update your database:

• you drop all tables and then import fresh DB structure from schema.
• Just update (We need this one)

Here's what you'll do:

And done, our database is now synced. You can run the same process across different machines to never worry about manual syncing. [Please note by 'sync' I mean only the structure not the records.]

Hope you enjoyed it!

Abhimanyu Grover