9

I am trying to trace the flow of execution in some legacy code. We have a report being accessed with 

http://site.com/?nq=showreport&action=view

This is the puzzle:

  • in index.php there is no $_GET['nq'] or $_GET['action'] (and no $_REQUEST either),
  • index.php, or any sources it includes, do not include showreport.php,
  • in .htaccess there is no url-rewriting

yet, showreport.php gets executed.

I have access to cPanel (but no apache config file) on the server and this is live code I cannot take any liberty with.

What could be making this happen? Where should I look?

Update
Funny thing - sent the client a link to this question in a status update to keep him in the loop; minutes latter all access was revoked and client informed me that the project is cancelled. I believe I have taken enough care not to leave any traces to where the code actually is ...

I am relieved this has been taken off me now, but I am also itching to know what it was!

Thank you everybody for your time and help.

Majid Fouladpour
  • 29,356
  • 21
  • 76
  • 127
  • Apache access log may able to tell you more – Mike B Jul 20 '11 at 21:01
  • @Mike B There are no access logs, there is one `access_logs` directory which is empty. – Majid Fouladpour Jul 20 '11 at 21:07
  • 2
    `http://site.com/nq=showreport&action=view` - this is or is not missing a `?` ? – hakre Jul 20 '11 at 21:09
  • @hakre, Corrected. Thanks for pointing. The real url does have `?` though. ... still getting nowhere – Majid Fouladpour Jul 20 '11 at 21:24
  • 1
    Tried `debug_backtrace()` within `showreport.php`? – KingCrunch Jul 20 '11 at 21:26
  • @KingCrunch - That would be easier than setting up a dev mirror. I will try that - you may consider putting that as an answer. My statement about this being an admin feature is not exact, this actually is customer area feature, and to make the trace only visible to me, I'd use a conditional ip or cookie based trace. Thanks. – Majid Fouladpour Jul 20 '11 at 21:37
  • You can use xdebug per-request too, if that is an option. – Smar Jul 20 '11 at 21:40
  • 1
    As long as xdebug is enabled (but configuration traces and such are not on!), you can enable it with PHP functions for your own requests. I use similar kind of debugging for our production environment which just has been lauched; when PHP error happens I can get better errors logger this way. void xdebug_start_trace( string trace_file [, integer options] ) in http://xdebug.org/docs/execution_trace – Smar Jul 20 '11 at 21:44

7 Answers7

6

There are "a hundreds" ways to parse a URL - in various layers (system, httpd server, CGI script). So it's not possible to answer your question specifically with the information you have got provided.

You leave a quite distinct hint "legacy code". I assume what you mean is, you don't want to fully read the code, understand it even that much to locate the piece of the application in question that is parsing that parameter.

It would be good however if you leave some hints "how legacy" that code is: Age, PHP version targeted etc. This can help.

It was not always that $_GET was used to access these values (same is true for $_REQUEST, they are cousins).

Let's take a look in the PHP 3 manual Mirror:

HTTP_GET_VARS

An associative array of variables passed to the current script via the HTTP GET method.

Is the script making use of this array probably? That's just a guess, this was a valid method to access these parameter for quite some time.

Anyway, this must not be what you search for. There was this often misunderstood and mis-used (literally abused) feature called register globals PHP Manual in PHP. So you might just be searching for $nq.

Next to that, there's always the request uri and apache / environment / cgi variables. See the link to the PHP 3 manual above it lists many of those. Compare this with the current manual to get a broad understanding.

In any case, you might have grep or a multi file search available (Eclipse has a nice build in one if you need to inspect legacy code inside some IDE).

So in the end of the day you might just look for a string like nq, 'nq', "nq" or $nq. Then check what this search brings up. String based search is a good entry into a codebase you don't know at all.

hakre
  • 193,403
  • 52
  • 435
  • 836
  • @harke (and +1): The app is one of those hit tracking apps badly written in the first place, and not supported after the sale closed. This being in use for quite some time has undergone several `feature-adding` by past coders unknown to me. It has `register_globals = On`, and so I have looked for all combinations of methods yielding the variable reading and file inclusion. You are right, I have not reviewed every single source there is, but I have reviewed the index.php and all that is included line by line. There is *no* trace of any method causing invocation of `showreport.php`. – Majid Fouladpour Jul 20 '11 at 21:52
  • 1
    You first need to find where the parameter is parsed. And then you need to look in every place that variable gets processed (yeah, some work, but you won't come around it if it's not obvious). Includes can be done by variable. You can *try* to locate `showreport` as string as well. `include`s can be an expression so based on variables as well and - legacy code `*twinker*` - search for `eval`. I think you get the idea ;). `grep` is your friend. if you're working on remote shell `grep --help | less` offers search. – hakre Jul 20 '11 at 21:59
  • There is no chance anymore to find for sure what the cause actually was. But I mark this as accepted answer as it point to a variety of places to look. – Majid Fouladpour Jul 20 '11 at 23:01
1

I’d install xdebug and use its function trace to look piece by piece what it is doing.

EDIT:

Okay, just an idea, but... Maybe your application is some kind of include hell like application I’m sometimes forced to mess at work? One file includes another, it includes another and that includes original file again... So maybe your index file includes some file that eventually causes this file to get included?

Another EDIT:

Or, sometimes application devs didn’t know what is a $_GET variable and parsed the urls themselves -> doing manual includes based to based urls.

Smar
  • 8,109
  • 3
  • 36
  • 48
  • That is not an option here. This is live stats site receiving 100+ hits per sec and cannot be played with as strictly prohibited by the client. – Majid Fouladpour Jul 20 '11 at 21:04
  • Can’t you run it in development environment? Only other option I can think about is manually debugging it out, but that’s out of question then too. – Smar Jul 20 '11 at 21:07
  • As a last resort, I may have to. But if there *is* something outside directories accessible to me that is behind the behavior, then my dev setup would not work. – Majid Fouladpour Jul 20 '11 at 21:10
  • @Majid Fouladpour: Which tools do you have at hand? Shell access? Is this some linux it's running on? – hakre Jul 20 '11 at 21:41
1

check your crontab, [sorry I don't know where you would find it in cpanel] - does the script fire at a specific time or can you see it definitely fires only when you request a specific page?

-sean

EDIT: If crontab is out, take a look at index.php [and it's includes] and look for code that either loops over the url parameters without specifically noting "nq" and anything that might be parsing the query string [probably something like: $_SERVER['QUERY_STRING'] ]

-sean

Sean Kimball
  • 4,506
  • 9
  • 42
  • 73
  • How could a cron job cause my live request to be routed to a file not being included? Cannot see any possibility of that. – Majid Fouladpour Jul 20 '11 at 21:14
  • 2
    That's why I was asking you how you know the script was being executed - your question does not actually say. – Sean Kimball Jul 20 '11 at 21:20
  • Thanks Sean, and sorry if I wasn't clear on that. But could cron jobs be accessed with a query string? – Majid Fouladpour Jul 20 '11 at 21:30
  • I'm going to check for `$_SERVER['QUERY_STRING']`, thanks for the hint. – Majid Fouladpour Jul 20 '11 at 21:32
  • Hi Majid - no problem, and no a craon job can't be executed by anthing other than the cron daemon [to the best of my knowledge] BUT you can definitely use a query string in a cron task [or any file it happens to be executing] i.e. this line in a crontab: wget - q "http://www.domain.tld/public/index.php?path_info=daily&code=iOFzZ" > /dev/null 2>&1 – Sean Kimball Jul 20 '11 at 21:58
1

I don't know how it works, but I know that Wordpress/Silverstipe is using is own url-rewriting to parse url to find posts/tags/etc. So the url parsing maybe done in a PHP script.

Maxime Fafard
  • 370
  • 2
  • 8
1

Check your config files (php.ini and .htaccess), you may have auto_prepend_file set.

eykanal
  • 26,437
  • 19
  • 82
  • 113
  • +1 Good point, didn't know about these directive, but just checked and it has no value (althou not commented out either: `auto_prepend_file =` `auto_append_file =` – Majid Fouladpour Jul 20 '11 at 21:18
1

You should give debug_backtrace() (or debug_print_backtrace() a try. The output is similar to the output of an Exception-stacktrace, thus it should help you to find out, what is called when and from where. If you don't have the possibility to run the application on a local development system, make sure, that nobody else can see the output

KingCrunch
  • 128,817
  • 21
  • 151
  • 173
0

Are you sure that you are looking at the right config or server? If you go the url above you get an error page that seems to indicate that the server is actually a microsoft iis server and not an apache one.

n8schloss
  • 2,723
  • 2
  • 19
  • 27