Hi John, if you just had some security tool to check your app, then it is probably just a false positive warning. Otherwise, if you have a clue where there is a potential security issue, I would recommend you to file a detailed description (including the version) on how the affected code is vulnerable directly to some of the core devs, not over this mailing list.
best regards Jan Am 11.04.2013 09:37, schrieb John Abat: > Hi there, > > I hope anyone can share some knowledge about this: > We are regularly building our web applications with cakephp and some > of our clients demand a thorough security check before going live. > Recently one of these checks reveled a high risk of Command Injection > and the most vulnerable file being /lib/Cake/Utility/file.php. > > Other issues: > > * Stored Code Injection > * XSRF (this can be contained with the Security component) > * Information Leak Through Persistent Cookies > > Other vulnerable files mentioned > > # cookiecomponent.php > # cakesocket.php > # consoleinput.php > > > Since these are all cake core files I wonder if these are known issues > and if anyone has some information on this. > > Thanx! > -- > Like Us on FaceBook https://www.facebook.com/CakePHP > Find us on Twitter http://twitter.com/CakePHP > > --- > You received this message because you are subscribed to the Google > Groups "CakePHP" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cake-php+unsubscr...@googlegroups.com. > To post to this group, send email to cake-php@googlegroups.com. > Visit this group at http://groups.google.com/group/cake-php?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.