If you can turn on debug, you can probably just read the database file as well. The only way you should be able to toggle debug is by editing files on the server. If you have access to those files, you can easily get the database passwords from disk.
While I understand that people think this should be fixed, no one is really coming forward with a patch. Also, expecting people to have some basic understanding of the tools they are using and what the hell they are doing, is not really a high bar. CakePHP unlike drupal and wordpress is not really usable by people who aren't developers. I personally expect _developers_ to care about the security of their applications. Maybe I'm crazy though. -Mark On Jun 22, 9:44 am, Jamie <jamie....@gmail.com> wrote: > Wow, seriously? That's very irresponsible of the developers. If you > can install a stock CakePHP and expose database login credentials just > by turning on debug, that needs to be addressed in the core. > > On Jun 21, 10:22 am, Miles J <mileswjohn...@gmail.com> wrote: > > > > > > > > > I have brought this problem up before. Last time, the Cake devs said > > it was the developers fault and it will stay in. > > > -_- > > > On Jun 21, 8:23 am, looklook look <bashl...@gmail.com> wrote: > > > > Now you got my point ;) > > > > I have tried with google query to show database connection on Drupal, > > > Codeigniter, Wordpress and many else. > > > But yes, they can handle this database error carefully. > > > > So, i think this is critical issue that should fixed immediatelly. > > > > Thanks > > > > Yodihttp://yoodey.com > > > > On Tue, Jun 21, 2011 at 9:36 PM, Thomas Ploch > > > <profipl...@googlemail.com>wrote: > > > > > OMG, > > > > > I certainly could connect to __several__ mysql servers found with this > > > > google query. > > > > > Although I agree that this is a developer's mistake, I am sure that > > > > there are a lot of unskilled developers that are doing this because they > > > > just dont know it better. So removing those values from the output would > > > > be a +1 from me. > > > > > Regards, > > > > Thomas > > > > > Am Dienstag, den 21.06.2011, 06:02 -0700 schrieb chris: > > > > > I'm intrigued by this issue. > > > > > > Can someone explain what situations would the whole config var be > > > > > output? Is it only when an error occurs, and only when at a certain > > > > > debug level? I've never seen it displayed at all whilst developing > > > > > with cakePHP. > > > > > > Out of interested I googled the first part of the output, i.e. > > > > > > $config = array( "persistent" => false, > > > > > > and it certaintly suprised me how many sites this brings back with > > > > > passwords on show. > > > > > > On Jun 21, 12:46 pm, yodi <bashl...@gmail.com> wrote: > > > > > > Sorry, it was on random site build by CakePHP. > > > > > > > To Euromark, i found more than 100 website affected with this > > > > > > problem > > > > > > and i don't have much time to email them all. > > > > > > > I think, whether it debug > 0, Cakephp should'nt throw real password > > > > > > into CONTEXT. > > > > > > > I try searching another CMS and Framework. Using same method, i > > > > > > found > > > > > > nothing of them show real password where database error connection > > > > > > occured. > > > > > > > Yes, this is security issued for me. Which there are many developer > > > > > > using CakePHP. > > > > > > > To Larry, i can send you some message to show how much it's > > > > > > affected. > > > > It > > > > > > can be consideration. > > > > > > > Thanks > > > > > > > On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: > > > > > > > Are you saying this was on the CakePHP website or a random site > > > > > > > you > > > > > > > where visiting? > > > > > > > > -- > > > > > > > Larry E. Masters > > > > > > > > On Mon, Jun 20, 2011 at 2:18 PM, yoodey <bashl...@gmail.com> > > > > > > > wrote: > > > > > > > Hello all, > > > > > > > > I'm randomly browsing and get a website with Database > > > > > > > error > > > > > > > connection. > > > > > > > It gave me error page : Warning (2): mysql_connect() > > > > > > > [function.mysql- > > > > > > > connect]: Access denied for user ... > > > > > > > > So i click on Context option and got this information. > > > > > > > > $config = array( > > > > > > > "persistent" => false, > > > > > > > "host" => "xxxxxxxxxxxxxxxxxxx", > > > > > > > "login" => "dbxxxxx", > > > > > > > "password" => "dbtxxx", > > > > > > > "database" => "dbxxxxx", > > > > > > > "port" => "3306", > > > > > > > "driver" => "mysql", > > > > > > > "prefix" => "", > > > > > > > "encoding" => "UTF8" > > > > > > > ) > > > > > > > > To avoid other people doing bad thing, i'm not showing > > > > > > > real > > > > > > > error > > > > > > > information. > > > > > > > > I'm doing mysql command based on that information and > > > > > > > guest > > > > > > > what? I > > > > > > > got full access! > > > > > > > Curious with this error, i'm doing little research and > > > > > > > found > > > > > > > more than > > > > > > > 1000 website mysql root access. (there many others, but i > > > > > > > too > > > > > > > tired to > > > > > > > check it one by one ). > > > > > > > > This is very dangerous things which i'm big fans of > > > > > > > CakePHP. > > > > I > > > > > > > working > > > > > > > on 50K/day visitors website powered by CakePHP which i > > > > > > > don't > > > > > > > wanna > > > > > > > this thing happen to me. > > > > > > > > So, please tell me, which people in cakephp.org should be > > > > > > > contacted > > > > > > > because this issue. Opening ticket will leaked real > > > > > > > information for > > > > > > > the victim website. > > > > > > > > Thanks > > > > > > > > Yoodey > > > > > > > > -- > > > > > > > Our newest site for the community: CakePHP Video Tutorials > > > > > > > http://tv.cakephp.org > > > > > > > Check out the new CakePHP Questions site > > > > > > > http://ask.cakephp.organdhelpotherswith their CakePHP > > > > > > > related questions. > > > > > > > > To unsubscribe from this group, send email to > > > > > > > cake-php+unsubscr...@googlegroups.com For more options, > > > > visit > > > > > > > this group athttp://groups.google.com/group/cake-php > > > > > > > > -- > > > > > > > Our newest site for the community: CakePHP Video Tutorials > > > > > > >http://tv.cakephp.org > > > > > > > Check out the new CakePHP Questions sitehttp://ask.cakephp.organd > > > > > > > help others with their CakePHP related questions. > > > > > > > > To unsubscribe from this group, send email to > > > > > > > cake-php+unsubscr...@googlegroups.com For more options, visit this > > > > > > > group athttp://groups.google.com/group/cake-php > > > > > -- > > > > Our newest site for the community: CakePHP Video Tutorials > > > >http://tv.cakephp.org > > > > Check out the new CakePHP Questions sitehttp://ask.cakephp.organdhelp > > > > others with their CakePHP related questions. > > > > > To unsubscribe from this group, send email to > > > > cake-php+unsubscr...@googlegroups.com For more options, visit this group > > > > athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
