Re: Where should i contact right people in CakePHP.org because this security critical problem
I'm curious why your blaming CakePHP for MySql allowing connections
outside of the webserver?
I made this error once on a live site. Someone hacked my sight
connected to the db and deleted everything in the tables.
When this happened I didn't go off and blame CakePHP or even MySql. I
knew I was the one responsible for the security of that site.
You could just as easily blame MySql for allowing you to configure a
connection from outside your network.
I changed the user credentials to a specific user (not root) and
password to the db and restricted Mysql to only accept connections
from the webserver for that user. I added a sandbox.php to my
configurations. My app/config/sandbox.php is NOT checked into the
repository and it holds custom configuration for the local system. So
on my dev machine I have some specific settings and for the live
deployment I have a different set of settings. It also enables
multiple developers to have completely separate configurations and not
effect the structure in source repository. This sandbox file is loaded
via Configure::load('sandbox'); at the top of core.php and used as in
Configure::write('debug', Configure::read('Sandbox.debug'));
I don't remember exactly where the concept of using a sandbox.php file
and Configure::load() came from (I think it was in one of the many
articles from one of the core devs) but the credit for this technique
belongs to them and is probably why the function is already in the
Configure class in the first place.
I've thought about using getReferer or $_SERVER['SERVER_NAME'] as part
of the sandbox file name which would allow me to do local testing on
the live server but have yet to implement that. You would create
multiple sandbox files as in mysite_com_sandbox.php and
127_0_0_1_sandbox.php
Overall I'm with Mark. If we as a community want those changes we need
to strengthen our understanding of that code and submit a patch. As
for me I've learned my lesson, I have a great solution that works
great with the current code base and solves a few additional problems
I was having with multiple developers and deploying new changes to the
server. These are very simple to setup and make a part of your
deployment process.
-Morgan
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
On Jun 23, 9:22 pm, majna majna...@gmail.com wrote: - enable code and context only for dev host (127.0.0.1) Great idea, until you realise that most large development houses have separate dev hosts. Even for my personal projects at home I have a separate dev host. It is simple, production sites should not be running in debug mode. In the case of CakePHP systems it is as simple as setting debug = 0, for standard php systems you wouldn't set error_reporting to 0. It should not be the responsibility of the CakePHP core team, or any members of the community to ensure that the developer makes their application secure. The responsibility for coding secure sites lies solely on the shoulders of the developer(s) coding that site. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
My dos centimos: This certainly isn't a bug. It's a marmite featured insofar as you either like it or you don't. This happened to me once on a dev site that somehow got cached by Google. It was a shock, but it also gave me a slap on the wrists and I was lucky - Lesson: never push anything public unless debug is 0. I personally don't agree with sensitive information like passwords appearing in debug - but I can live with it if I am aware it can happen. As the trace is generally collapsed, it can be difficult to spot any highly sensitive information is public for the more naive developer. I think a warning (prominent) in the docs that this can happen would suffice. In this case, if you don't read the manual, you have no one else to blame. On Jun 23, 7:03 am, euromark dereurom...@googlemail.com wrote: i always do it the other way around in core debug=0 and if on localhost, raise it afterwards to 1/2 this way there should be no flaws On 23 Jun., 06:50, oceanguy seagri...@gmail.com wrote: I've been baking for over 3 years, and while I know leaving debug 0 is not kosher, I often leave it temporarily at 1 for quasi-production sites, as it is a heck of a lot easier to debug run-time issues. But I had no idea that database info would ever be exposed. And why would I? Seems like only a peculiar set of circumstances would have lead me to this error. If there's one piece of config information that shouldn't be exposed at all by an application, it's the db connection info. (Salt keys are probably a close second.) If something is a bad practice, then it's up to the community to find the best way to inhibit it automatically. It's really a question of the community's integrity as a whole. If it's common for end user developers to make a mistake, then that speaks to an issue that needs to be addressed at the core level, otherwise everyone's reputation suffers. CakePHP is a complex application and there is *a lot* to learn about it. Verbal notes hidden in forums (or even the docs) won't cut it, nor will saying, if you followed best practice X, you wouldn't have exposed yourself to Y. End user developers do not know the details of how things might work under all circumstances, so we must trust the core developers to insure that best practices are in place to protect us from ourselves. If it's a question of encouraging developers to maintain separate core.php files on dev and production machines, I think an alternative distribution model might be helpful. For example, maybe core.php should be distributed like database.php.default, which encourages devs to make a specific customized copy for each machine, which also implies not including it under version control. Aside from this quibble, thanks for an awesome framework (and Mark, for a great blog). -Sage On Jun 22, 1:02 pm, mark_story mark.st...@gmail.com wrote: It is the developer's fault, for deploying a system in a way it should never be deployed. Since, I was working under the pre-tense that any developer who actually cared about these kinds of things wouldn't make a stupid mistake like this. And combined with the fact that removing the passwords is a non-trivial problem, I punted on the issue. The place where this error gets displayed from is inside Debugger, and its more than non-trivial to filter through the various parts of output, looking for things that follow password, and cutting them out. While this is probably doable it will affect all the messages that Debugger will create. I guess I underestimated the ability of people to screw up basic deployment. If someone want's to prepare a patch, I'd be happy to apply it so people who can't be bothered to properly deploy their applications, can sleep better at night. -Mark -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
AD7six has already 'fixed' it on 2.0 branch at Github. https://github.com/cakephp/cakephp/commit/fcd0505d424aaafecfe3b051930e721efebac9f5 Thanks AD7six.. and thanks all members from this topic. Case closed. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
... and on other branches too. =) -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
Optimal solution to the problem AD7six. Good work. https://github.com/cakephp/cakephp/commit/e4fee14a5b1aca3c0af11549aa722358092853e7 I know it is the responsibility of the developer, but it is good to see that by the CakePHP core, developers are concerned and help create solutions. Thank you. On 23 jun, 02:03, euromark dereurom...@googlemail.com wrote: i always do it the other way around in core debug=0 and if on localhost, raise it afterwards to 1/2 this way there should be no flaws On 23 Jun., 06:50, oceanguy seagri...@gmail.com wrote: I've been baking for over 3 years, and while I know leaving debug 0 is not kosher, I often leave it temporarily at 1 for quasi-production sites, as it is a heck of a lot easier to debug run-time issues. But I had no idea that database info would ever be exposed. And why would I? Seems like only a peculiar set of circumstances would have lead me to this error. If there's one piece of config information that shouldn't be exposed at all by an application, it's the db connection info. (Salt keys are probably a close second.) If something is a bad practice, then it's up to the community to find the best way to inhibit it automatically. It's really a question of the community's integrity as a whole. If it's common for end user developers to make a mistake, then that speaks to an issue that needs to be addressed at the core level, otherwise everyone's reputation suffers. CakePHP is a complex application and there is *a lot* to learn about it. Verbal notes hidden in forums (or even the docs) won't cut it, nor will saying, if you followed best practice X, you wouldn't have exposed yourself to Y. End user developers do not know the details of how things might work under all circumstances, so we must trust the core developers to insure that best practices are in place to protect us from ourselves. If it's a question of encouraging developers to maintain separate core.php files on dev and production machines, I think an alternative distribution model might be helpful. For example, maybe core.php should be distributed like database.php.default, which encourages devs to make a specific customized copy for each machine, which also implies not including it under version control. Aside from this quibble, thanks for an awesome framework (and Mark, for a great blog). -Sage On Jun 22, 1:02 pm, mark_story mark.st...@gmail.com wrote: It is the developer's fault, for deploying a system in a way it should never be deployed. Since, I was working under the pre-tense that any developer who actually cared about these kinds of things wouldn't make a stupid mistake like this. And combined with the fact that removing the passwords is a non-trivial problem, I punted on the issue. The place where this error gets displayed from is inside Debugger, and its more than non-trivial to filter through the various parts of output, looking for things that follow password, and cutting them out. While this is probably doable it will affect all the messages that Debugger will create. I guess I underestimated the ability of people to screw up basic deployment. If someone want's to prepare a patch, I'd be happy to apply it so people who can't be bothered to properly deploy their applications, can sleep better at night. -Mark -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
Optimal solution to the problem AD7six. Good work. https://github.com/cakephp/cakephp/commit/e4fee14a5b1aca3c0af11549aa7... I know it is the responsibility of the developer, but it is good to see that by the CakePHP core, developers are concerned and help create solutions. Thank you. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
Glad to hear that. Finally, i get my question answered. Yes, the right people to be contacted in CakePHP is all people involved in this forum. Thanks AD7six :) Yoodey http://yoodey.com On Fri, 2011-06-24 at 18:15 -0700, Maury wrote: Optimal solution to the problem AD7six. Good work. https://github.com/cakephp/cakephp/commit/e4fee14a5b1aca3c0af11549aa7... I know it is the responsibility of the developer, but it is good to see that by the CakePHP core, developers are concerned and help create solutions. Thank you. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
kudos! -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
On Jun 22, 11:35 pm, Miles J mileswjohn...@gmail.com wrote: Thats my point, no? No. The point is you don't use debug in production _ever_. You implemented default-allow with your debug setting - it boggles the mind you still think you did nothing (immensely) wrong. AD -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
Couldn't agree more with the message from oceanguy. I've only just developed my first live site with CakePHP. The live URL is allways running with debug level 0, so I am not at risk. However, I do run a staging site, which can have the debug level set differently. I did not realise until this thread that there is a potential that this could lead to the staging site outputing the passwords for the database (again, only the passwords for staging. not live, but still not great) To be honest, its still not entirely clear when this would actually happen. It seems that it will be if there is an issue with connection to the DB, but again, no clear details on this. Thank you to the thread starter for alterting to this issue. I can understand why it is maybe not something the cakePHP team want to change, but I do think it needs to be made clear to developers that debug leves greater than 0 can expose passwords. On Jun 23, 6:03 am, euromark dereurom...@googlemail.com wrote: i always do it the other way around in core debug=0 and if on localhost, raise it afterwards to 1/2 this way there should be no flaws On 23 Jun., 06:50, oceanguy seagri...@gmail.com wrote: I've been baking for over 3 years, and while I know leaving debug 0 is not kosher, I often leave it temporarily at 1 for quasi-production sites, as it is a heck of a lot easier to debug run-time issues. But I had no idea that database info would ever be exposed. And why would I? Seems like only a peculiar set of circumstances would have lead me to this error. If there's one piece of config information that shouldn't be exposed at all by an application, it's the db connection info. (Salt keys are probably a close second.) If something is a bad practice, then it's up to the community to find the best way to inhibit it automatically. It's really a question of the community's integrity as a whole. If it's common for end user developers to make a mistake, then that speaks to an issue that needs to be addressed at the core level, otherwise everyone's reputation suffers. CakePHP is a complex application and there is *a lot* to learn about it. Verbal notes hidden in forums (or even the docs) won't cut it, nor will saying, if you followed best practice X, you wouldn't have exposed yourself to Y. End user developers do not know the details of how things might work under all circumstances, so we must trust the core developers to insure that best practices are in place to protect us from ourselves. If it's a question of encouraging developers to maintain separate core.php files on dev and production machines, I think an alternative distribution model might be helpful. For example, maybe core.php should be distributed like database.php.default, which encourages devs to make a specific customized copy for each machine, which also implies not including it under version control. Aside from this quibble, thanks for an awesome framework (and Mark, for a great blog). -Sage On Jun 22, 1:02 pm, mark_story mark.st...@gmail.com wrote: It is the developer's fault, for deploying a system in a way it should never be deployed. Since, I was working under the pre-tense that any developer who actually cared about these kinds of things wouldn't make a stupid mistake like this. And combined with the fact that removing the passwords is a non-trivial problem, I punted on the issue. The place where this error gets displayed from is inside Debugger, and its more than non-trivial to filter through the various parts of output, looking for things that follow password, and cutting them out. While this is probably doable it will affect all the messages that Debugger will create. I guess I underestimated the ability of people to screw up basic deployment. If someone want's to prepare a patch, I'd be happy to apply it so people who can't be bothered to properly deploy their applications, can sleep better at night. -Mark -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
On Jun 22, 9:50 pm, oceanguy seagri...@gmail.com wrote: I've been baking for over 3 years, and while I know leaving debug 0 is not kosher, I often leave it temporarily at 1 for quasi-production sites, as it is a heck of a lot easier to debug run-time issues. Usually its a good idea to protect these staging apps with HTTP basic/ digest auth or put them on internal networks. I'm guessing this step is not a 'standard' either though. But I had no idea that database info would ever be exposed. And why would I? Seems like only a peculiar set of circumstances would have lead me to this error. If there's one piece of config information that shouldn't be exposed at all by an application, it's the db connection info. (Salt keys are probably a close second.) If something is a bad practice, then it's up to the community to find the best way to inhibit it automatically. It's really a question of the community's integrity as a whole. If it's common for end user developers to make a mistake, then that speaks to an issue that needs to be addressed at the core level, otherwise everyone's reputation suffers. CakePHP is a complex application and there is *a lot* to learn about it. Verbal notes hidden in forums (or even the docs) won't cut it, nor will saying, if you followed best practice X, you wouldn't have exposed yourself to Y. End user developers do not know the details of how things might work under all circumstances, so we must trust the core developers to insure that best practices are in place to protect us from ourselves. If it's a question of encouraging developers to maintain separate core.php files on dev and production machines, I think an alternative distribution model might be helpful. For example, maybe core.php should be distributed like database.php.default, which encourages devs to make a specific customized copy for each machine, which also implies not including it under version control. This is an option, I've considered it adds an additional setup step for new users. I personally never put any environment specific configuration files in version control, and put .default files instead. One possibility is to create a better system for environment configuration, and a good way to manage it. I'm not really sure any solution would prevent people from doing the wrong thing. No matter what obstacles we put in the way, people are still going to be able to deploy sites in development mode, and have them expose information or be more vulnerable than they need to be. -Mark Aside from this quibble, thanks for an awesome framework (and Mark, for a great blog). -Sage On Jun 22, 1:02 pm, mark_story mark.st...@gmail.com wrote: It is the developer's fault, for deploying a system in a way it should never be deployed. Since, I was working under the pre-tense that any developer who actually cared about these kinds of things wouldn't make a stupid mistake like this. And combined with the fact that removing the passwords is a non-trivial problem, I punted on the issue. The place where this error gets displayed from is inside Debugger, and its more than non-trivial to filter through the various parts of output, looking for things that follow password, and cutting them out. While this is probably doable it will affect all the messages that Debugger will create. I guess I underestimated the ability of people to screw up basic deployment. If someone want's to prepare a patch, I'd be happy to apply it so people who can't be bothered to properly deploy their applications, can sleep better at night. -Mark -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
What are you talking about, stop trolling. I know that was incorrect, but that's my point. How are developers supposed to know *which* is the correct way until they encounter the problem? Its not stated in the docs, and a new Cake developer isn't going to know any better. Database credentials, regardless of who's fault it is, should *never* be displayed in plain text, who's smart idea was that? Get off your high I know everything horse. On Jun 23, 1:00 am, AD7six andydawso...@gmail.com wrote: On Jun 22, 11:35 pm, Miles J mileswjohn...@gmail.com wrote: Thats my point, no? No. The point is you don't use debug in production _ever_. You implemented default-allow with your debug setting - it boggles the mind you still think you did nothing (immensely) wrong. AD -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
On Jun 23, 7:41 pm, Miles J mileswjohn...@gmail.com wrote: What are you talking about, stop trolling. I know that was incorrect, but that's my point. How are developers supposed to know *which* is the correct way until they encounter the problem? Its not stated in the docs, and a new Cake developer isn't going to know any better. Database credentials, regardless of who's fault it is, should *never* be displayed in plain text, who's smart idea was that? yours -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
It's not just database.php credentials issue, debugger code and context can output any code excerpt. For example, you may have API_KEY just above some code that produce PHP notice, and debugger will show your key. Proposal: - add notice in docs and cake core.php config - enable code and context only for dev host (127.0.0.1) or remove it (not very useful) - stop arguing and be polite :) On Jun 23, 8:47 pm, AD7six andydawso...@gmail.com wrote: On Jun 23, 7:41 pm, Miles J mileswjohn...@gmail.com wrote: What are you talking about, stop trolling. I know that was incorrect, but that's my point. How are developers supposed to know *which* is the correct way until they encounter the problem? Its not stated in the docs, and a new Cake developer isn't going to know any better. Database credentials, regardless of who's fault it is, should *never* be displayed in plain text, who's smart idea was that? yours -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
On Thu, Jun 23, 2011 at 3:22 PM, majna majna...@gmail.com wrote: It's not just database.php credentials issue, debugger code and context can output any code excerpt. For example, you may have API_KEY just above some code that produce PHP notice, and debugger will show your key. Proposal: - add notice in docs and cake core.php config - enable code and context only for dev host (127.0.0.1) or remove it (not very useful) +1 - stop arguing and be polite :) On Jun 23, 8:47 pm, AD7six andydawso...@gmail.com wrote: On Jun 23, 7:41 pm, Miles J mileswjohn...@gmail.com wrote: What are you talking about, stop trolling. I know that was incorrect, but that's my point. How are developers supposed to know *which* is the correct way until they encounter the problem? Its not stated in the docs, and a new Cake developer isn't going to know any better. Database credentials, regardless of who's fault it is, should *never* be displayed in plain text, who's smart idea was that? yours -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
Am 23.06.2011 21:22, schrieb majna: ... Proposal: - add notice in docs and cake core.php config - enable code and context only for dev host (127.0.0.1) or remove it (not very useful) +1, never used context. - stop arguing and be polite :) +1 On Jun 23, 8:47 pm, AD7six andydawso...@gmail.com wrote: On Jun 23, 7:41 pm, Miles J mileswjohn...@gmail.com wrote: [bla...] -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
What a helpful member of the CakePHP community you are. The consensus seems to be against you on this one. On Jun 23, 11:47 am, AD7six andydawso...@gmail.com wrote: On Jun 23, 7:41 pm, Miles J mileswjohn...@gmail.com wrote: What are you talking about, stop trolling. I know that was incorrect, but that's my point. How are developers supposed to know *which* is the correct way until they encounter the problem? Its not stated in the docs, and a new Cake developer isn't going to know any better. Database credentials, regardless of who's fault it is, should *never* be displayed in plain text, who's smart idea was that? yours -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
Can someone confirm the circustances this ouput will appear? Does it happen if the debug level is set to 1 as well? Thanks On Jun 21, 6:48 pm, looklook look bashl...@gmail.com wrote: Sad to hear that, Miles. I hope cake devs not blaming developers fault again. Otherwise, cake devs make it more safer way to new developer in learning CakePHP. Which always have many mistakes as progress of learning. Thanks http://yoodey.com On Wed, Jun 22, 2011 at 12:22 AM, Miles J mileswjohn...@gmail.com wrote: I have brought this problem up before. Last time, the Cake devs said it was the developers fault and it will stay in. -_- On Jun 21, 8:23 am, looklook look bashl...@gmail.com wrote: Now you got my point ;) I have tried with google query to show database connection on Drupal, Codeigniter, Wordpress and many else. But yes, they can handle this database error carefully. So, i think this is critical issue that should fixed immediatelly. Thanks Yodihttp://yoodey.com On Tue, Jun 21, 2011 at 9:36 PM, Thomas Ploch profipl...@googlemail.com wrote: OMG, I certainly could connect to __several__ mysql servers found with this google query. Although I agree that this is a developer's mistake, I am sure that there are a lot of unskilled developers that are doing this because they just dont know it better. So removing those values from the output would be a +1 from me. Regards, Thomas Am Dienstag, den 21.06.2011, 06:02 -0700 schrieb chris: I'm intrigued by this issue. Can someone explain what situations would the whole config var be output? Is it only when an error occurs, and only when at a certain debug level? I've never seen it displayed at all whilst developing with cakePHP. Out of interested I googled the first part of the output, i.e. $config = array( persistent = false, and it certaintly suprised me how many sites this brings back with passwords on show. On Jun 21, 12:46 pm, yodi bashl...@gmail.com wrote: Sorry, it was on random site build by CakePHP. To Euromark, i found more than 100 website affected with this problem and i don't have much time to email them all. I think, whether it debug 0, Cakephp should'nt throw real password into CONTEXT. I try searching another CMS and Framework. Using same method, i found nothing of them show real password where database error connection occured. Yes, this is security issued for me. Which there are many developer using CakePHP. To Larry, i can send you some message to show how much it's affected. It can be consideration. Thanks On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: Are you saying this was on the CakePHP website or a random site you where visiting? -- Larry E. Masters On Mon, Jun 20, 2011 at 2:18 PM, yoodey bashl...@gmail.com wrote: Hello all, I'm randomly browsing and get a website with Database error connection. It gave me error page : Warning (2): mysql_connect() [function.mysql- connect]: Access denied for user ... So i click on Context option and got this information. $config = array( persistent = false, host = xxx, login = dbx, password = dbtxxx, database = dbx, port = 3306, driver = mysql, prefix = , encoding = UTF8 ) To avoid other people doing bad thing, i'm not showing real error information. I'm doing mysql command based on that information and guest what? I got full access! Curious with this error, i'm doing little research and found more than 1000 website mysql root access. (there many others, but i too tired to check it one by one ). This is very dangerous things which i'm big fans of CakePHP. I working on 50K/day visitors website powered by CakePHP which i don't wanna this thing happen to me. So, please tell me, which people in cakephp.org should be contacted because this issue. Opening ticket will leaked real information for the victim website. Thanks Yoodey -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new
Re: Where should i contact right people in CakePHP.org because this security critical problem
On Jun 22, 12:49 pm, chris chris@internetlogistics.com wrote: Can someone confirm the circustances this ouput will appear? On tuesdays. Does it happen if the debug level is set to 1 as well? yes. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
Wow, seriously? That's very irresponsible of the developers. If you can install a stock CakePHP and expose database login credentials just by turning on debug, that needs to be addressed in the core. On Jun 21, 10:22 am, Miles J mileswjohn...@gmail.com wrote: I have brought this problem up before. Last time, the Cake devs said it was the developers fault and it will stay in. -_- On Jun 21, 8:23 am, looklook look bashl...@gmail.com wrote: Now you got my point ;) I have tried with google query to show database connection on Drupal, Codeigniter, Wordpress and many else. But yes, they can handle this database error carefully. So, i think this is critical issue that should fixed immediatelly. Thanks Yodihttp://yoodey.com On Tue, Jun 21, 2011 at 9:36 PM, Thomas Ploch profipl...@googlemail.comwrote: OMG, I certainly could connect to __several__ mysql servers found with this google query. Although I agree that this is a developer's mistake, I am sure that there are a lot of unskilled developers that are doing this because they just dont know it better. So removing those values from the output would be a +1 from me. Regards, Thomas Am Dienstag, den 21.06.2011, 06:02 -0700 schrieb chris: I'm intrigued by this issue. Can someone explain what situations would the whole config var be output? Is it only when an error occurs, and only when at a certain debug level? I've never seen it displayed at all whilst developing with cakePHP. Out of interested I googled the first part of the output, i.e. $config = array( persistent = false, and it certaintly suprised me how many sites this brings back with passwords on show. On Jun 21, 12:46 pm, yodi bashl...@gmail.com wrote: Sorry, it was on random site build by CakePHP. To Euromark, i found more than 100 website affected with this problem and i don't have much time to email them all. I think, whether it debug 0, Cakephp should'nt throw real password into CONTEXT. I try searching another CMS and Framework. Using same method, i found nothing of them show real password where database error connection occured. Yes, this is security issued for me. Which there are many developer using CakePHP. To Larry, i can send you some message to show how much it's affected. It can be consideration. Thanks On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: Are you saying this was on the CakePHP website or a random site you where visiting? -- Larry E. Masters On Mon, Jun 20, 2011 at 2:18 PM, yoodey bashl...@gmail.com wrote: Hello all, I'm randomly browsing and get a website with Database error connection. It gave me error page : Warning (2): mysql_connect() [function.mysql- connect]: Access denied for user ... So i click on Context option and got this information. $config = array( persistent = false, host = xxx, login = dbx, password = dbtxxx, database = dbx, port = 3306, driver = mysql, prefix = , encoding = UTF8 ) To avoid other people doing bad thing, i'm not showing real error information. I'm doing mysql command based on that information and guest what? I got full access! Curious with this error, i'm doing little research and found more than 1000 website mysql root access. (there many others, but i too tired to check it one by one ). This is very dangerous things which i'm big fans of CakePHP. I working on 50K/day visitors website powered by CakePHP which i don't wanna this thing happen to me. So, please tell me, which people in cakephp.org should be contacted because this issue. Opening ticket will leaked real information for the victim website. Thanks Yoodey -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.organdhelpothers with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest site for the
Re: Where should i contact right people in CakePHP.org because this security critical problem
If you can turn on debug, you can probably just read the database file as well. The only way you should be able to toggle debug is by editing files on the server. If you have access to those files, you can easily get the database passwords from disk. While I understand that people think this should be fixed, no one is really coming forward with a patch. Also, expecting people to have some basic understanding of the tools they are using and what the hell they are doing, is not really a high bar. CakePHP unlike drupal and wordpress is not really usable by people who aren't developers. I personally expect _developers_ to care about the security of their applications. Maybe I'm crazy though. -Mark On Jun 22, 9:44 am, Jamie jamie@gmail.com wrote: Wow, seriously? That's very irresponsible of the developers. If you can install a stock CakePHP and expose database login credentials just by turning on debug, that needs to be addressed in the core. On Jun 21, 10:22 am, Miles J mileswjohn...@gmail.com wrote: I have brought this problem up before. Last time, the Cake devs said it was the developers fault and it will stay in. -_- On Jun 21, 8:23 am, looklook look bashl...@gmail.com wrote: Now you got my point ;) I have tried with google query to show database connection on Drupal, Codeigniter, Wordpress and many else. But yes, they can handle this database error carefully. So, i think this is critical issue that should fixed immediatelly. Thanks Yodihttp://yoodey.com On Tue, Jun 21, 2011 at 9:36 PM, Thomas Ploch profipl...@googlemail.comwrote: OMG, I certainly could connect to __several__ mysql servers found with this google query. Although I agree that this is a developer's mistake, I am sure that there are a lot of unskilled developers that are doing this because they just dont know it better. So removing those values from the output would be a +1 from me. Regards, Thomas Am Dienstag, den 21.06.2011, 06:02 -0700 schrieb chris: I'm intrigued by this issue. Can someone explain what situations would the whole config var be output? Is it only when an error occurs, and only when at a certain debug level? I've never seen it displayed at all whilst developing with cakePHP. Out of interested I googled the first part of the output, i.e. $config = array( persistent = false, and it certaintly suprised me how many sites this brings back with passwords on show. On Jun 21, 12:46 pm, yodi bashl...@gmail.com wrote: Sorry, it was on random site build by CakePHP. To Euromark, i found more than 100 website affected with this problem and i don't have much time to email them all. I think, whether it debug 0, Cakephp should'nt throw real password into CONTEXT. I try searching another CMS and Framework. Using same method, i found nothing of them show real password where database error connection occured. Yes, this is security issued for me. Which there are many developer using CakePHP. To Larry, i can send you some message to show how much it's affected. It can be consideration. Thanks On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: Are you saying this was on the CakePHP website or a random site you where visiting? -- Larry E. Masters On Mon, Jun 20, 2011 at 2:18 PM, yoodey bashl...@gmail.com wrote: Hello all, I'm randomly browsing and get a website with Database error connection. It gave me error page : Warning (2): mysql_connect() [function.mysql- connect]: Access denied for user ... So i click on Context option and got this information. $config = array( persistent = false, host = xxx, login = dbx, password = dbtxxx, database = dbx, port = 3306, driver = mysql, prefix = , encoding = UTF8 ) To avoid other people doing bad thing, i'm not showing real error information. I'm doing mysql command based on that information and guest what? I got full access! Curious with this error, i'm doing little research and found more than 1000 website mysql root access. (there many others, but i too tired to check it one by one ). This is very dangerous things which i'm big fans of CakePHP. I working
Re: Where should i contact right people in CakePHP.org because this security critical problem
It is the developer's fault, for deploying a system in a way it should never be deployed. Since, I was working under the pre-tense that any developer who actually cared about these kinds of things wouldn't make a stupid mistake like this. And combined with the fact that removing the passwords is a non-trivial problem, I punted on the issue. The place where this error gets displayed from is inside Debugger, and its more than non-trivial to filter through the various parts of output, looking for things that follow password, and cutting them out. While this is probably doable it will affect all the messages that Debugger will create. I guess I underestimated the ability of people to screw up basic deployment. If someone want's to prepare a patch, I'd be happy to apply it so people who can't be bothered to properly deploy their applications, can sleep better at night. -Mark On Jun 21, 10:22 am, Miles J mileswjohn...@gmail.com wrote: I have brought this problem up before. Last time, the Cake devs said it was the developers fault and it will stay in. -_- On Jun 21, 8:23 am, looklook look bashl...@gmail.com wrote: Now you got my point ;) I have tried with google query to show database connection on Drupal, Codeigniter, Wordpress and many else. But yes, they can handle this database error carefully. So, i think this is critical issue that should fixed immediatelly. Thanks Yodihttp://yoodey.com On Tue, Jun 21, 2011 at 9:36 PM, Thomas Ploch profipl...@googlemail.comwrote: OMG, I certainly could connect to __several__ mysql servers found with this google query. Although I agree that this is a developer's mistake, I am sure that there are a lot of unskilled developers that are doing this because they just dont know it better. So removing those values from the output would be a +1 from me. Regards, Thomas Am Dienstag, den 21.06.2011, 06:02 -0700 schrieb chris: I'm intrigued by this issue. Can someone explain what situations would the whole config var be output? Is it only when an error occurs, and only when at a certain debug level? I've never seen it displayed at all whilst developing with cakePHP. Out of interested I googled the first part of the output, i.e. $config = array( persistent = false, and it certaintly suprised me how many sites this brings back with passwords on show. On Jun 21, 12:46 pm, yodi bashl...@gmail.com wrote: Sorry, it was on random site build by CakePHP. To Euromark, i found more than 100 website affected with this problem and i don't have much time to email them all. I think, whether it debug 0, Cakephp should'nt throw real password into CONTEXT. I try searching another CMS and Framework. Using same method, i found nothing of them show real password where database error connection occured. Yes, this is security issued for me. Which there are many developer using CakePHP. To Larry, i can send you some message to show how much it's affected. It can be consideration. Thanks On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: Are you saying this was on the CakePHP website or a random site you where visiting? -- Larry E. Masters On Mon, Jun 20, 2011 at 2:18 PM, yoodey bashl...@gmail.com wrote: Hello all, I'm randomly browsing and get a website with Database error connection. It gave me error page : Warning (2): mysql_connect() [function.mysql- connect]: Access denied for user ... So i click on Context option and got this information. $config = array( persistent = false, host = xxx, login = dbx, password = dbtxxx, database = dbx, port = 3306, driver = mysql, prefix = , encoding = UTF8 ) To avoid other people doing bad thing, i'm not showing real error information. I'm doing mysql command based on that information and guest what? I got full access! Curious with this error, i'm doing little research and found more than 1000 website mysql root access. (there many others, but i too tired to check it one by one ). This is very dangerous things which i'm big fans of CakePHP. I working on 50K/day visitors website powered by CakePHP which i don't wanna this thing happen to me. So, please tell me, which people in cakephp.org should be contacted because
Re: Where should i contact right people in CakePHP.org because this security critical problem
How about to output debugger Context only for 127.0.0.1 ? On Jun 22, 7:02 pm, mark_story mark.st...@gmail.com wrote: It is the developer's fault, for deploying a system in a way it should never be deployed. Since, I was working under the pre-tense that any developer who actually cared about these kinds of things wouldn't make a stupid mistake like this. And combined with the fact that removing the passwords is a non-trivial problem, I punted on the issue. The place where this error gets displayed from is inside Debugger, and its more than non-trivial to filter through the various parts of output, looking for things that follow password, and cutting them out. While this is probably doable it will affect all the messages that Debugger will create. I guess I underestimated the ability of people to screw up basic deployment. If someone want's to prepare a patch, I'd be happy to apply it so people who can't be bothered to properly deploy their applications, can sleep better at night. -Mark On Jun 21, 10:22 am, Miles J mileswjohn...@gmail.com wrote: I have brought this problem up before. Last time, the Cake devs said it was the developers fault and it will stay in. -_- On Jun 21, 8:23 am, looklook look bashl...@gmail.com wrote: Now you got my point ;) I have tried with google query to show database connection on Drupal, Codeigniter, Wordpress and many else. But yes, they can handle this database error carefully. So, i think this is critical issue that should fixed immediatelly. Thanks Yodihttp://yoodey.com On Tue, Jun 21, 2011 at 9:36 PM, Thomas Ploch profipl...@googlemail.comwrote: OMG, I certainly could connect to __several__ mysql servers found with this google query. Although I agree that this is a developer's mistake, I am sure that there are a lot of unskilled developers that are doing this because they just dont know it better. So removing those values from the output would be a +1 from me. Regards, Thomas Am Dienstag, den 21.06.2011, 06:02 -0700 schrieb chris: I'm intrigued by this issue. Can someone explain what situations would the whole config var be output? Is it only when an error occurs, and only when at a certain debug level? I've never seen it displayed at all whilst developing with cakePHP. Out of interested I googled the first part of the output, i.e. $config = array( persistent = false, and it certaintly suprised me how many sites this brings back with passwords on show. On Jun 21, 12:46 pm, yodi bashl...@gmail.com wrote: Sorry, it was on random site build by CakePHP. To Euromark, i found more than 100 website affected with this problem and i don't have much time to email them all. I think, whether it debug 0, Cakephp should'nt throw real password into CONTEXT. I try searching another CMS and Framework. Using same method, i found nothing of them show real password where database error connection occured. Yes, this is security issued for me. Which there are many developer using CakePHP. To Larry, i can send you some message to show how much it's affected. It can be consideration. Thanks On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: Are you saying this was on the CakePHP website or a random site you where visiting? -- Larry E. Masters On Mon, Jun 20, 2011 at 2:18 PM, yoodey bashl...@gmail.com wrote: Hello all, I'm randomly browsing and get a website with Database error connection. It gave me error page : Warning (2): mysql_connect() [function.mysql- connect]: Access denied for user ... So i click on Context option and got this information. $config = array( persistent = false, host = xxx, login = dbx, password = dbtxxx, database = dbx, port = 3306, driver = mysql, prefix = , encoding = UTF8 ) To avoid other people doing bad thing, i'm not showing real error information. I'm doing mysql command based on that information and guest what? I got full access! Curious with this error, i'm doing little research and found more than 1000 website mysql root access. (there many others, but i too tired to check it one by one ). This is very dangerous things which i'm big fans of
Re: Where should i contact right people in CakePHP.org because this security critical problem
The problem is, its unclear when this error is thrown. I developed in Cake for over a year and still had this debug show in production. Its not a problem of being a good developer, it was a problem of debug being enabled at a certain point in the dispatch cycle and then turned off at another point, but the error being thrown while debug was still on. It was a problem with the order of operation, and the only way a good developer will know this process is when it happens to them, and that just might happen in prod. No developer will know about this unless they reverse engineered the whole dispatch cycle to see how and when this error is thrown. http://milesj.me/blog/read/debug-off-prod-again On Jun 22, 10:08 am, majna majna...@gmail.com wrote: How about to output debugger Context only for 127.0.0.1 ? On Jun 22, 7:02 pm, mark_story mark.st...@gmail.com wrote: It is the developer's fault, for deploying a system in a way it should never be deployed. Since, I was working under the pre-tense that any developer who actually cared about these kinds of things wouldn't make a stupid mistake like this. And combined with the fact that removing the passwords is a non-trivial problem, I punted on the issue. The place where this error gets displayed from is inside Debugger, and its more than non-trivial to filter through the various parts of output, looking for things that follow password, and cutting them out. While this is probably doable it will affect all the messages that Debugger will create. I guess I underestimated the ability of people to screw up basic deployment. If someone want's to prepare a patch, I'd be happy to apply it so people who can't be bothered to properly deploy their applications, can sleep better at night. -Mark On Jun 21, 10:22 am, Miles J mileswjohn...@gmail.com wrote: I have brought this problem up before. Last time, the Cake devs said it was the developers fault and it will stay in. -_- On Jun 21, 8:23 am, looklook look bashl...@gmail.com wrote: Now you got my point ;) I have tried with google query to show database connection on Drupal, Codeigniter, Wordpress and many else. But yes, they can handle this database error carefully. So, i think this is critical issue that should fixed immediatelly. Thanks Yodihttp://yoodey.com On Tue, Jun 21, 2011 at 9:36 PM, Thomas Ploch profipl...@googlemail.comwrote: OMG, I certainly could connect to __several__ mysql servers found with this google query. Although I agree that this is a developer's mistake, I am sure that there are a lot of unskilled developers that are doing this because they just dont know it better. So removing those values from the output would be a +1 from me. Regards, Thomas Am Dienstag, den 21.06.2011, 06:02 -0700 schrieb chris: I'm intrigued by this issue. Can someone explain what situations would the whole config var be output? Is it only when an error occurs, and only when at a certain debug level? I've never seen it displayed at all whilst developing with cakePHP. Out of interested I googled the first part of the output, i.e. $config = array( persistent = false, and it certaintly suprised me how many sites this brings back with passwords on show. On Jun 21, 12:46 pm, yodi bashl...@gmail.com wrote: Sorry, it was on random site build by CakePHP. To Euromark, i found more than 100 website affected with this problem and i don't have much time to email them all. I think, whether it debug 0, Cakephp should'nt throw real password into CONTEXT. I try searching another CMS and Framework. Using same method, i found nothing of them show real password where database error connection occured. Yes, this is security issued for me. Which there are many developer using CakePHP. To Larry, i can send you some message to show how much it's affected. It can be consideration. Thanks On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: Are you saying this was on the CakePHP website or a random site you where visiting? -- Larry E. Masters On Mon, Jun 20, 2011 at 2:18 PM, yoodey bashl...@gmail.com wrote: Hello all, I'm randomly browsing and get a website with Database error connection. It gave me error page : Warning (2): mysql_connect() [function.mysql- connect]: Access denied for user ... So i click on Context option and got this information. $config = array( persistent = false, host = xxx,
Aw: Re: Where should i contact right people in CakePHP.org because this security critical problem
I can not agree that this is a bug that should be fixed in cake itself. This is definitely a bug in the release cycle or is the responsibility of the developer. Comparing cakes debug messages with messages in wordpress seems absurd to me. One is a CMS for beginners and the other is a development framework. A development framework targets at people who know about the context and the effects that their actions have. You can not and should not stop beginners from using a development framework but it is not the responsibility of the framework to protect them from doing very irresponsible things. regards -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
On Jun 22, 7:20 pm, Miles J mileswjohn...@gmail.com wrote: The problem is, its unclear when this error is thrown. I developed in Cake for over a year and still had this debug show in production. From your blog post: debug in core.php was set to 2, and then disabled to 0 in bootstrap.php with hindsight you can see the problem with that - but it should be obvious: That means any thing which happens generating a warning/error/ notice inbetween loading core.php, and bootstrap.php will be sent to users - and failing to connect to the db is one of those things in cake 1.2/3. IMO what you describe in your blog post is a manufactured problem _purely_ because you are sharing the same core.php file on your local machine and your deployed site - don't do that. AD -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
This should be fixed in core. A developer who actually needed the password would be able to get it easily enough. We developers are often rushed and do occasionally make stupid mistakes but a simple mistake should not reveal passwords. Great and effective effort has been put into the code to make it easy to deploy a secure application. The same care and effort should insure that simple mistakes by a developer do not break the secure application. Gary -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
Deploying an application with debug on is not a secure application. -Mark On Jun 22, 1:11 pm, bujanga buja...@gmail.com wrote: This should be fixed in core. A developer who actually needed the password would be able to get it easily enough. We developers are often rushed and do occasionally make stupid mistakes but a simple mistake should not reveal passwords. Great and effective effort has been put into the code to make it easy to deploy a secure application. The same care and effort should insure that simple mistakes by a developer do not break the secure application. Gary -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
Thats my point, no? How is a developer supposed to know which step core.php is loaded in the bootstrap process, in that it will cause problems. No ones going to know this unless they dig into the core files and discover it. On Jun 22, 12:17 pm, AD7six andydawso...@gmail.com wrote: On Jun 22, 7:20 pm, Miles J mileswjohn...@gmail.com wrote: The problem is, its unclear when this error is thrown. I developed in Cake for over a year and still had this debug show in production. From your blog post: debug in core.php was set to 2, and then disabled to 0 in bootstrap.php with hindsight you can see the problem with that - but it should be obvious: That means any thing which happens generating a warning/error/ notice inbetween loading core.php, and bootstrap.php will be sent to users - and failing to connect to the db is one of those things in cake 1.2/3. IMO what you describe in your blog post is a manufactured problem _purely_ because you are sharing the same core.php file on your local machine and your deployed site - don't do that. AD -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
On Wednesday, June 22, 2011 11:52:45 PM UTC+7, mark_story wrote: While I understand that people think this should be fixed, no one is really coming forward with a patch. http://groups.google.com/group/cake-php Hi Mark, Here's a quick patch: https://github.com/rchavik/cakephp/commit/2be048eb6556d57314de5e3fb2bfa4ab11d2b039. I think it would handle at least the case reported by thread starter. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
I've been baking for over 3 years, and while I know leaving debug 0 is not kosher, I often leave it temporarily at 1 for quasi-production sites, as it is a heck of a lot easier to debug run-time issues. But I had no idea that database info would ever be exposed. And why would I? Seems like only a peculiar set of circumstances would have lead me to this error. If there's one piece of config information that shouldn't be exposed at all by an application, it's the db connection info. (Salt keys are probably a close second.) If something is a bad practice, then it's up to the community to find the best way to inhibit it automatically. It's really a question of the community's integrity as a whole. If it's common for end user developers to make a mistake, then that speaks to an issue that needs to be addressed at the core level, otherwise everyone's reputation suffers. CakePHP is a complex application and there is *a lot* to learn about it. Verbal notes hidden in forums (or even the docs) won't cut it, nor will saying, if you followed best practice X, you wouldn't have exposed yourself to Y. End user developers do not know the details of how things might work under all circumstances, so we must trust the core developers to insure that best practices are in place to protect us from ourselves. If it's a question of encouraging developers to maintain separate core.php files on dev and production machines, I think an alternative distribution model might be helpful. For example, maybe core.php should be distributed like database.php.default, which encourages devs to make a specific customized copy for each machine, which also implies not including it under version control. Aside from this quibble, thanks for an awesome framework (and Mark, for a great blog). -Sage On Jun 22, 1:02 pm, mark_story mark.st...@gmail.com wrote: It is the developer's fault, for deploying a system in a way it should never be deployed. Since, I was working under the pre-tense that any developer who actually cared about these kinds of things wouldn't make a stupid mistake like this. And combined with the fact that removing the passwords is a non-trivial problem, I punted on the issue. The place where this error gets displayed from is inside Debugger, and its more than non-trivial to filter through the various parts of output, looking for things that follow password, and cutting them out. While this is probably doable it will affect all the messages that Debugger will create. I guess I underestimated the ability of people to screw up basic deployment. If someone want's to prepare a patch, I'd be happy to apply it so people who can't be bothered to properly deploy their applications, can sleep better at night. -Mark -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
i always do it the other way around in core debug=0 and if on localhost, raise it afterwards to 1/2 this way there should be no flaws On 23 Jun., 06:50, oceanguy seagri...@gmail.com wrote: I've been baking for over 3 years, and while I know leaving debug 0 is not kosher, I often leave it temporarily at 1 for quasi-production sites, as it is a heck of a lot easier to debug run-time issues. But I had no idea that database info would ever be exposed. And why would I? Seems like only a peculiar set of circumstances would have lead me to this error. If there's one piece of config information that shouldn't be exposed at all by an application, it's the db connection info. (Salt keys are probably a close second.) If something is a bad practice, then it's up to the community to find the best way to inhibit it automatically. It's really a question of the community's integrity as a whole. If it's common for end user developers to make a mistake, then that speaks to an issue that needs to be addressed at the core level, otherwise everyone's reputation suffers. CakePHP is a complex application and there is *a lot* to learn about it. Verbal notes hidden in forums (or even the docs) won't cut it, nor will saying, if you followed best practice X, you wouldn't have exposed yourself to Y. End user developers do not know the details of how things might work under all circumstances, so we must trust the core developers to insure that best practices are in place to protect us from ourselves. If it's a question of encouraging developers to maintain separate core.php files on dev and production machines, I think an alternative distribution model might be helpful. For example, maybe core.php should be distributed like database.php.default, which encourages devs to make a specific customized copy for each machine, which also implies not including it under version control. Aside from this quibble, thanks for an awesome framework (and Mark, for a great blog). -Sage On Jun 22, 1:02 pm, mark_story mark.st...@gmail.com wrote: It is the developer's fault, for deploying a system in a way it should never be deployed. Since, I was working under the pre-tense that any developer who actually cared about these kinds of things wouldn't make a stupid mistake like this. And combined with the fact that removing the passwords is a non-trivial problem, I punted on the issue. The place where this error gets displayed from is inside Debugger, and its more than non-trivial to filter through the various parts of output, looking for things that follow password, and cutting them out. While this is probably doable it will affect all the messages that Debugger will create. I guess I underestimated the ability of people to screw up basic deployment. If someone want's to prepare a patch, I'd be happy to apply it so people who can't be bothered to properly deploy their applications, can sleep better at night. -Mark -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
this is not really a security issue! if you hung up your door key on the front porch it would be your fault if you get robbed, too. it's the responsibility of the (cake) developer to turn debug of in production mode. non productive pages should be behind htaccess protection etc. simply write those developers (email can be obtained by domain usually) an email. this has nothing to do with cake itself - at least if debug is 0 i did open a related ticket: http://cakephp.lighthouseapp.com/projects/42648/tickets/1780-proper-apperror-on-mysql-errors this would throw an app error right away in those situations instead of continuing with above warnings. On 20 Jun., 21:18, yoodey bashl...@gmail.com wrote: Hello all, I'm randomly browsing and get a website with Database error connection. It gave me error page : Warning (2): mysql_connect() [function.mysql- connect]: Access denied for user ... So i click on Context option and got this information. $config = array( persistent = false, host = xxx, login = dbx, password = dbtxxx, database = dbx, port = 3306, driver = mysql, prefix = , encoding = UTF8 ) To avoid other people doing bad thing, i'm not showing real error information. I'm doing mysql command based on that information and guest what? I got full access! Curious with this error, i'm doing little research and found more than 1000 website mysql root access. (there many others, but i too tired to check it one by one ). This is very dangerous things which i'm big fans of CakePHP. I working on 50K/day visitors website powered by CakePHP which i don't wanna this thing happen to me. So, please tell me, which people in cakephp.org should be contacted because this issue. Opening ticket will leaked real information for the victim website. Thanks Yoodey -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
Are you saying this was on the CakePHP website or a random site you where visiting? -- Larry E. Masters On Mon, Jun 20, 2011 at 2:18 PM, yoodey bashl...@gmail.com wrote: Hello all, I'm randomly browsing and get a website with Database error connection. It gave me error page : Warning (2): mysql_connect() [function.mysql- connect]: Access denied for user ... So i click on Context option and got this information. $config = array( persistent = false, host = xxx, login = dbx, password = dbtxxx, database = dbx, port = 3306, driver = mysql, prefix = , encoding = UTF8 ) To avoid other people doing bad thing, i'm not showing real error information. I'm doing mysql command based on that information and guest what? I got full access! Curious with this error, i'm doing little research and found more than 1000 website mysql root access. (there many others, but i too tired to check it one by one ). This is very dangerous things which i'm big fans of CakePHP. I working on 50K/day visitors website powered by CakePHP which i don't wanna this thing happen to me. So, please tell me, which people in cakephp.org should be contacted because this issue. Opening ticket will leaked real information for the victim website. Thanks Yoodey -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
Sorry, it was on random site build by CakePHP. To Euromark, i found more than 100 website affected with this problem and i don't have much time to email them all. I think, whether it debug 0, Cakephp should'nt throw real password into CONTEXT. I try searching another CMS and Framework. Using same method, i found nothing of them show real password where database error connection occured. Yes, this is security issued for me. Which there are many developer using CakePHP. To Larry, i can send you some message to show how much it's affected. It can be consideration. Thanks On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: Are you saying this was on the CakePHP website or a random site you where visiting? -- Larry E. Masters On Mon, Jun 20, 2011 at 2:18 PM, yoodey bashl...@gmail.com wrote: Hello all, I'm randomly browsing and get a website with Database error connection. It gave me error page : Warning (2): mysql_connect() [function.mysql- connect]: Access denied for user ... So i click on Context option and got this information. $config = array( persistent = false, host = xxx, login = dbx, password = dbtxxx, database = dbx, port = 3306, driver = mysql, prefix = , encoding = UTF8 ) To avoid other people doing bad thing, i'm not showing real error information. I'm doing mysql command based on that information and guest what? I got full access! Curious with this error, i'm doing little research and found more than 1000 website mysql root access. (there many others, but i too tired to check it one by one ). This is very dangerous things which i'm big fans of CakePHP. I working on 50K/day visitors website powered by CakePHP which i don't wanna this thing happen to me. So, please tell me, which people in cakephp.org should be contacted because this issue. Opening ticket will leaked real information for the victim website. Thanks Yoodey -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
I'm intrigued by this issue. Can someone explain what situations would the whole config var be output? Is it only when an error occurs, and only when at a certain debug level? I've never seen it displayed at all whilst developing with cakePHP. Out of interested I googled the first part of the output, i.e. $config = array( persistent = false, and it certaintly suprised me how many sites this brings back with passwords on show. On Jun 21, 12:46 pm, yodi bashl...@gmail.com wrote: Sorry, it was on random site build by CakePHP. To Euromark, i found more than 100 website affected with this problem and i don't have much time to email them all. I think, whether it debug 0, Cakephp should'nt throw real password into CONTEXT. I try searching another CMS and Framework. Using same method, i found nothing of them show real password where database error connection occured. Yes, this is security issued for me. Which there are many developer using CakePHP. To Larry, i can send you some message to show how much it's affected. It can be consideration. Thanks On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: Are you saying this was on the CakePHP website or a random site you where visiting? -- Larry E. Masters On Mon, Jun 20, 2011 at 2:18 PM, yoodey bashl...@gmail.com wrote: Hello all, I'm randomly browsing and get a website with Database error connection. It gave me error page : Warning (2): mysql_connect() [function.mysql- connect]: Access denied for user ... So i click on Context option and got this information. $config = array( persistent = false, host = xxx, login = dbx, password = dbtxxx, database = dbx, port = 3306, driver = mysql, prefix = , encoding = UTF8 ) To avoid other people doing bad thing, i'm not showing real error information. I'm doing mysql command based on that information and guest what? I got full access! Curious with this error, i'm doing little research and found more than 1000 website mysql root access. (there many others, but i too tired to check it one by one ). This is very dangerous things which i'm big fans of CakePHP. I working on 50K/day visitors website powered by CakePHP which i don't wanna this thing happen to me. So, please tell me, which people in cakephp.org should be contacted because this issue. Opening ticket will leaked real information for the victim website. Thanks Yoodey -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.organd help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions sitehttp://ask.cakephp.organd help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
if debug = 0 its supposed to read..^^ and yes, its certainly alarming how careless some people are maybe cakephp should omit the password in the error warnings' context On 21 Jun., 15:02, chris chris@internetlogistics.com wrote: I'm intrigued by this issue. Can someone explain what situations would the whole config var be output? Is it only when an error occurs, and only when at a certain debug level? I've never seen it displayed at all whilst developing with cakePHP. Out of interested I googled the first part of the output, i.e. $config = array( persistent = false, and it certaintly suprised me how many sites this brings back with passwords on show. On Jun 21, 12:46 pm, yodi bashl...@gmail.com wrote: Sorry, it was on random site build by CakePHP. To Euromark, i found more than 100 website affected with this problem and i don't have much time to email them all. I think, whether it debug 0, Cakephp should'nt throw real password into CONTEXT. I try searching another CMS and Framework. Using same method, i found nothing of them show real password where database error connection occured. Yes, this is security issued for me. Which there are many developer using CakePHP. To Larry, i can send you some message to show how much it's affected. It can be consideration. Thanks On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: Are you saying this was on the CakePHP website or a random site you where visiting? -- Larry E. Masters On Mon, Jun 20, 2011 at 2:18 PM, yoodey bashl...@gmail.com wrote: Hello all, I'm randomly browsing and get a website with Database error connection. It gave me error page : Warning (2): mysql_connect() [function.mysql- connect]: Access denied for user ... So i click on Context option and got this information. $config = array( persistent = false, host = xxx, login = dbx, password = dbtxxx, database = dbx, port = 3306, driver = mysql, prefix = , encoding = UTF8 ) To avoid other people doing bad thing, i'm not showing real error information. I'm doing mysql command based on that information and guest what? I got full access! Curious with this error, i'm doing little research and found more than 1000 website mysql root access. (there many others, but i too tired to check it one by one ). This is very dangerous things which i'm big fans of CakePHP. I working on 50K/day visitors website powered by CakePHP which i don't wanna this thing happen to me. So, please tell me, which people in cakephp.org should be contacted because this issue. Opening ticket will leaked real information for the victim website. Thanks Yoodey -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.organdhelp others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions sitehttp://ask.cakephp.organd help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
OMG, I certainly could connect to __several__ mysql servers found with this google query. Although I agree that this is a developer's mistake, I am sure that there are a lot of unskilled developers that are doing this because they just dont know it better. So removing those values from the output would be a +1 from me. Regards, Thomas Am Dienstag, den 21.06.2011, 06:02 -0700 schrieb chris: I'm intrigued by this issue. Can someone explain what situations would the whole config var be output? Is it only when an error occurs, and only when at a certain debug level? I've never seen it displayed at all whilst developing with cakePHP. Out of interested I googled the first part of the output, i.e. $config = array( persistent = false, and it certaintly suprised me how many sites this brings back with passwords on show. On Jun 21, 12:46 pm, yodi bashl...@gmail.com wrote: Sorry, it was on random site build by CakePHP. To Euromark, i found more than 100 website affected with this problem and i don't have much time to email them all. I think, whether it debug 0, Cakephp should'nt throw real password into CONTEXT. I try searching another CMS and Framework. Using same method, i found nothing of them show real password where database error connection occured. Yes, this is security issued for me. Which there are many developer using CakePHP. To Larry, i can send you some message to show how much it's affected. It can be consideration. Thanks On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: Are you saying this was on the CakePHP website or a random site you where visiting? -- Larry E. Masters On Mon, Jun 20, 2011 at 2:18 PM, yoodey bashl...@gmail.com wrote: Hello all, I'm randomly browsing and get a website with Database error connection. It gave me error page : Warning (2): mysql_connect() [function.mysql- connect]: Access denied for user ... So i click on Context option and got this information. $config = array( persistent = false, host = xxx, login = dbx, password = dbtxxx, database = dbx, port = 3306, driver = mysql, prefix = , encoding = UTF8 ) To avoid other people doing bad thing, i'm not showing real error information. I'm doing mysql command based on that information and guest what? I got full access! Curious with this error, i'm doing little research and found more than 1000 website mysql root access. (there many others, but i too tired to check it one by one ). This is very dangerous things which i'm big fans of CakePHP. I working on 50K/day visitors website powered by CakePHP which i don't wanna this thing happen to me. So, please tell me, which people in cakephp.org should be contacted because this issue. Opening ticket will leaked real information for the victim website. Thanks Yoodey -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.organd help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions sitehttp://ask.cakephp.organd help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Where should i contact right people in CakePHP.org because this security critical problem
Now you got my point ;) I have tried with google query to show database connection on Drupal, Codeigniter, Wordpress and many else. But yes, they can handle this database error carefully. So, i think this is critical issue that should fixed immediatelly. Thanks Yodi http://yoodey.com On Tue, Jun 21, 2011 at 9:36 PM, Thomas Ploch profipl...@googlemail.comwrote: OMG, I certainly could connect to __several__ mysql servers found with this google query. Although I agree that this is a developer's mistake, I am sure that there are a lot of unskilled developers that are doing this because they just dont know it better. So removing those values from the output would be a +1 from me. Regards, Thomas Am Dienstag, den 21.06.2011, 06:02 -0700 schrieb chris: I'm intrigued by this issue. Can someone explain what situations would the whole config var be output? Is it only when an error occurs, and only when at a certain debug level? I've never seen it displayed at all whilst developing with cakePHP. Out of interested I googled the first part of the output, i.e. $config = array( persistent = false, and it certaintly suprised me how many sites this brings back with passwords on show. On Jun 21, 12:46 pm, yodi bashl...@gmail.com wrote: Sorry, it was on random site build by CakePHP. To Euromark, i found more than 100 website affected with this problem and i don't have much time to email them all. I think, whether it debug 0, Cakephp should'nt throw real password into CONTEXT. I try searching another CMS and Framework. Using same method, i found nothing of them show real password where database error connection occured. Yes, this is security issued for me. Which there are many developer using CakePHP. To Larry, i can send you some message to show how much it's affected. It can be consideration. Thanks On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: Are you saying this was on the CakePHP website or a random site you where visiting? -- Larry E. Masters On Mon, Jun 20, 2011 at 2:18 PM, yoodey bashl...@gmail.com wrote: Hello all, I'm randomly browsing and get a website with Database error connection. It gave me error page : Warning (2): mysql_connect() [function.mysql- connect]: Access denied for user ... So i click on Context option and got this information. $config = array( persistent = false, host = xxx, login = dbx, password = dbtxxx, database = dbx, port = 3306, driver = mysql, prefix = , encoding = UTF8 ) To avoid other people doing bad thing, i'm not showing real error information. I'm doing mysql command based on that information and guest what? I got full access! Curious with this error, i'm doing little research and found more than 1000 website mysql root access. (there many others, but i too tired to check it one by one ). This is very dangerous things which i'm big fans of CakePHP. I working on 50K/day visitors website powered by CakePHP which i don't wanna this thing happen to me. So, please tell me, which people in cakephp.org should be contacted because this issue. Opening ticket will leaked real information for the victim website. Thanks Yoodey -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.organd help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions sitehttp://ask.cakephp.organd help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group,
Re: Where should i contact right people in CakePHP.org because this security critical problem
I have brought this problem up before. Last time, the Cake devs said it was the developers fault and it will stay in. -_- On Jun 21, 8:23 am, looklook look bashl...@gmail.com wrote: Now you got my point ;) I have tried with google query to show database connection on Drupal, Codeigniter, Wordpress and many else. But yes, they can handle this database error carefully. So, i think this is critical issue that should fixed immediatelly. Thanks Yodihttp://yoodey.com On Tue, Jun 21, 2011 at 9:36 PM, Thomas Ploch profipl...@googlemail.comwrote: OMG, I certainly could connect to __several__ mysql servers found with this google query. Although I agree that this is a developer's mistake, I am sure that there are a lot of unskilled developers that are doing this because they just dont know it better. So removing those values from the output would be a +1 from me. Regards, Thomas Am Dienstag, den 21.06.2011, 06:02 -0700 schrieb chris: I'm intrigued by this issue. Can someone explain what situations would the whole config var be output? Is it only when an error occurs, and only when at a certain debug level? I've never seen it displayed at all whilst developing with cakePHP. Out of interested I googled the first part of the output, i.e. $config = array( persistent = false, and it certaintly suprised me how many sites this brings back with passwords on show. On Jun 21, 12:46 pm, yodi bashl...@gmail.com wrote: Sorry, it was on random site build by CakePHP. To Euromark, i found more than 100 website affected with this problem and i don't have much time to email them all. I think, whether it debug 0, Cakephp should'nt throw real password into CONTEXT. I try searching another CMS and Framework. Using same method, i found nothing of them show real password where database error connection occured. Yes, this is security issued for me. Which there are many developer using CakePHP. To Larry, i can send you some message to show how much it's affected. It can be consideration. Thanks On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: Are you saying this was on the CakePHP website or a random site you where visiting? -- Larry E. Masters On Mon, Jun 20, 2011 at 2:18 PM, yoodey bashl...@gmail.com wrote: Hello all, I'm randomly browsing and get a website with Database error connection. It gave me error page : Warning (2): mysql_connect() [function.mysql- connect]: Access denied for user ... So i click on Context option and got this information. $config = array( persistent = false, host = xxx, login = dbx, password = dbtxxx, database = dbx, port = 3306, driver = mysql, prefix = , encoding = UTF8 ) To avoid other people doing bad thing, i'm not showing real error information. I'm doing mysql command based on that information and guest what? I got full access! Curious with this error, i'm doing little research and found more than 1000 website mysql root access. (there many others, but i too tired to check it one by one ). This is very dangerous things which i'm big fans of CakePHP. I working on 50K/day visitors website powered by CakePHP which i don't wanna this thing happen to me. So, please tell me, which people in cakephp.org should be contacted because this issue. Opening ticket will leaked real information for the victim website. Thanks Yoodey -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.organdhelp others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions sitehttp://ask.cakephp.organd help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest
Re: Where should i contact right people in CakePHP.org because this security critical problem
Sad to hear that, Miles. I hope cake devs not blaming developers fault again. Otherwise, cake devs make it more safer way to new developer in learning CakePHP. Which always have many mistakes as progress of learning. Thanks http://yoodey.com On Wed, Jun 22, 2011 at 12:22 AM, Miles J mileswjohn...@gmail.com wrote: I have brought this problem up before. Last time, the Cake devs said it was the developers fault and it will stay in. -_- On Jun 21, 8:23 am, looklook look bashl...@gmail.com wrote: Now you got my point ;) I have tried with google query to show database connection on Drupal, Codeigniter, Wordpress and many else. But yes, they can handle this database error carefully. So, i think this is critical issue that should fixed immediatelly. Thanks Yodihttp://yoodey.com On Tue, Jun 21, 2011 at 9:36 PM, Thomas Ploch profipl...@googlemail.com wrote: OMG, I certainly could connect to __several__ mysql servers found with this google query. Although I agree that this is a developer's mistake, I am sure that there are a lot of unskilled developers that are doing this because they just dont know it better. So removing those values from the output would be a +1 from me. Regards, Thomas Am Dienstag, den 21.06.2011, 06:02 -0700 schrieb chris: I'm intrigued by this issue. Can someone explain what situations would the whole config var be output? Is it only when an error occurs, and only when at a certain debug level? I've never seen it displayed at all whilst developing with cakePHP. Out of interested I googled the first part of the output, i.e. $config = array( persistent = false, and it certaintly suprised me how many sites this brings back with passwords on show. On Jun 21, 12:46 pm, yodi bashl...@gmail.com wrote: Sorry, it was on random site build by CakePHP. To Euromark, i found more than 100 website affected with this problem and i don't have much time to email them all. I think, whether it debug 0, Cakephp should'nt throw real password into CONTEXT. I try searching another CMS and Framework. Using same method, i found nothing of them show real password where database error connection occured. Yes, this is security issued for me. Which there are many developer using CakePHP. To Larry, i can send you some message to show how much it's affected. It can be consideration. Thanks On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: Are you saying this was on the CakePHP website or a random site you where visiting? -- Larry E. Masters On Mon, Jun 20, 2011 at 2:18 PM, yoodey bashl...@gmail.com wrote: Hello all, I'm randomly browsing and get a website with Database error connection. It gave me error page : Warning (2): mysql_connect() [function.mysql- connect]: Access denied for user ... So i click on Context option and got this information. $config = array( persistent = false, host = xxx, login = dbx, password = dbtxxx, database = dbx, port = 3306, driver = mysql, prefix = , encoding = UTF8 ) To avoid other people doing bad thing, i'm not showing real error information. I'm doing mysql command based on that information and guest what? I got full access! Curious with this error, i'm doing little research and found more than 1000 website mysql root access. (there many others, but i too tired to check it one by one ). This is very dangerous things which i'm big fans of CakePHP. I working on 50K/day visitors website powered by CakePHP which i don't wanna this thing happen to me. So, please tell me, which people in cakephp.org should be contacted because this issue. Opening ticket will leaked real information for the victim website. Thanks Yoodey -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.organdhelp others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit
