Examples: Insecure Guestbook Application
Disclamer
The following example is an application that is very unstable and dangerous. It is deactivated on my production server and does only work on my presentation server. If you install this application on a server, take care to prevent any access to this server from the internet. It is a major security issue to let anybody access this server!
Presentation of the application
This application is a guestbook with some advanced features. The application works but has been written by a very bad programmer (me). So it contains al lot of security vulnerabilities.
Interesting files in the project
Download the files : guestbook-application.zip. The following files are part of this small project and can be of interest:- index.php the main file containing all the program.
- connect.php the file used to connect the database (this file is loaded inside the index.php).
- guestbook.css the style file
- english.php contains the translation of the terms used in the application (which is i18nised). You have aslo:french.php and german.php
- guestbook.sql the mysql dump of the database used for this application
Install a version locally
There are two possibilities to install the softwareXAMPP
The easest way to install Apache PHP and a Database together.- Download and install XAMPP
- Start the servers (Web and SQL)
- Copy the files inside the home directory of the HTTP server.
- Copy the database inside PHPmyAdmin.
- Update the file connect.php to meet your configuration.
Virtual machine
In a virtual machine (the one of the CS Basics course), install the following applications: apache2,mysql-server, php and php-mysql.
$ sudo apt install apache2 $ sudo apt install mysql-server $ sudo apt install php php-mysql
sudo mysql_secure_installation You can select how secure your installation is.
You must now allow root to connect using a password (replace password with the password you want):
$ sudo mysql mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password'; mysql> FLUSH PRIVILEGES;
Dowload this application as a zip file: guestbook-application.zip
Unzip this file in the htdocs directory of your apache server (the one you had to install for your Web Programming course).
Create a Database, import the sql instructions in your DB: guestbook.sql
$ mysqladmin -u root -p create guestbook Enter password: $ mysql -u root -p guestbook < guestbook-application/guestbook.sql Enter password:Copy the files into the /var/www/html/guestbook/ directory (to be created).
Configure the file
connect.php in order to meet the config of your DB.In order to install the application on your server, you have to remove the security feature I installed. That means, in the first lines of the file
index.php, uncomment the line $production_site = 0; and comment the line require_once('../../../mylib.php');. The rest should work if you configure the file connect.php.Now it should work. Enjoy, and don't forget to protect yourself!
Related Pages
Contact
Berner Fachhochschule - TI
Quellgasse 21
CH-2501 Biel/Bienne
Switzerland
Mail: emmanuel.benoist (at) bfh.ch
Social Networks
Follow
me
on
Linkedin, Scholar
& Research gate