debug > 0 is an absolute nogo for productive sites. but besides that: yes, thats possible there are several easy ways to bypass the baked actions and validation
the easiest thing is to post empty forms (using firebug its easy to remove the inputs or replace them with nonsense). @see http://www.dereuromark.de/2010/09/21/saving-model-data-and-security/ for details On 12 Aug., 22:24, andrewperk <andrewp...@gmail.com> wrote: > Hello, > > I have a cakephp site I'm working on. I have it live on a production > server, it's still in development. > > I switched my core.php from production to development to do some > testing of things on the live server and forgot to change it back. I > left it like this for about a week. > > Apparently someone smart found the website. They didn't do any damage > they just kind of let me know I had a bug somewhere. > > They were somehow able to bypass my model validation and register > themselves with a NULL username and password and marked themselves as > a premium member which can only be done via a paypal payment using web > tech nicks paypal plugin. They did this 4 times set username, email, > password fields in the DB to NULL and marked themselves as a premium > member giving them paid services for free. > > I'm wondering if while I left the core.php in development mode they > got DB access somehow and that's how they did it? > > Here's my basic user validation which ensures a username and valid > password and confirmation as well as username uniqueness: > > 'username'=>array( > 'Not Empty'=>array( > 'rule'=>'notEmpty', > 'message'=>'Please enter your desired username.' > ), > 'Username 4 length'=>array( > 'rule'=>array('minLength', 4), > 'message'=>array('Username must be at least 4 characters in > length') > ), > 'Username can only be alphanumeric'=>array( > 'rule'=>'alphaNumeric', > 'message'=>'Username can only be letters and numbers.' > ), > 'Must be unique'=>array( > 'rule'=>'isUnique', > 'message'=>'That username is taken, try another.' > ) > ), > 'email'=>array( > 'Not empty'=>array( > 'rule'=>'notEmpty', > 'message'=>'Please enter your email address.' > ), > 'Valid email'=>array( > 'rule'=>'email', > 'message'=>'This is not a valid email address.' > ), > 'Must be unique'=>array( > 'rule'=>'isUnique', > 'message'=>'That email address is already taken.' > ) > ), > 'password'=>array( > 'Minimum 6 length'=>array( > 'rule'=>array('minLength', 6), > 'message'=>'Password must be at least 6 characters in length.' > ), > 'Passwords must match'=>array( > 'rule'=>'matchPasswords', > 'message'=>'The passwords do not match.' > ) > ), > 'ToS'=>array( > 'rule'=>'/1/', > 'message'=>'You must agree to the terms of service.' > ) > > Is there any other way they could have gotten around my model > validations? Or did they DB access because I left my core.php in > development? > > Thanks. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
