Re: Security Exploit.
Ok, basically you shouldn't be afraid of script kiddie attacks that much with CakePHP as you should be when using systems like Drupal, Typo3, Joomla, etc.. Those people like to use Google to find vulnerable sites, and since CakePHP doesn't leave much of a typical html signature, it's a little difficult to find sites powered by CakePHP. Having that said, you should avoid displaying and especially linking to "Missing Controller"/etc. pages in a production site, since those can easily be found via google. The stuff above is what I would call a mass attack without a specific target. Now when somebody really wants to crack your site in particular, you're best protection is to maintain some request logs showing untypical behavior (url's with ?*.php or '..', etc. as well as _javascript_ commands). Other then that most problems will be related to your own code, and there is no way to write 100% & totally safe code. Try to be thoughtful when writing the code, invest some time in trying to hack it from the outside, but other then sad just hope the best. The chances are low that a low traffic CakePHP site will be a victim of hacks, but for bigger sites you should try to apply some of the strategies above. Oh, and keep in mind that I'm no expert in security at all. Those are just some strategies I would consider to implement when focusing on security. Best Regards, Felix Geisendörfer -- http://www.thinkingphp.org http://www.fg-webdesign.de [EMAIL PROTECTED] schrieb: Is there any chance that the security expert would be willing to put together a brief overview of security concerns within Cake? I get overwhelmed with the number and variety of exploits and exploiters out there now. Everywhere I look there seems to be a chink in the armor of every online system. In short, what do I need to know before putting up a Cake-based page for public access? I've been thinking of putting up one of my pages as (what I think is) a nice example of search, but I'm not sure if I can do that without exposing my ISP to an attack. Regards, Clueless in Cleveland --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~--~~~~--~~--~--~---
Re: Security Exploit.
While there is no guarantee that an exploit will or will not be found you will notice that within a few hours of tickets being submitted I have a patch created or a new release built. I think compared to many other projects, or even software that you pay for, you would not see this type of turn around. This last ticket sat for just over 8 hours before I woke up and fixed it:Reported: 09/17/06 02:52:45Fixed: 09/17/06 11:31:19But if someone wants to audit the core by all means do it, while I try to create "perfect" code, no one is that good... -- /*** @author Larry E. Masters* @var string $userName* @param string $realName* @returns string aka PhpNut* @access public*/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~--~~~~--~~--~--~---
Re: Security Exploit.
On Sep 19, 2006, at 11:01 AM, [EMAIL PROTECTED] wrote: > > Is there any chance that the security expert would be willing to put > together a brief overview of security concerns within Cake? I get > overwhelmed with the number and variety of exploits and exploiters out > there now. Everywhere I look there seems to be a chink in the armor of > every online system. > > In short, what do I need to know before putting up a Cake-based page > for public access? I've been thinking of putting up one of my pages as > (what I think is) a nice example of search, but I'm not sure if I can > do that without exposing my ISP to an attack. There are no known open security issues: https://trac.cakephp.org/query? status=new&status=assigned&status=reopened&type=Security +Exploit&order=priority Given that our usage base is pretty large, you're pretty safe. If you want to increase the security of the system, you're welcome to start hacking at it to see if there's anything we've all missed. -- John --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~--~~~~--~~--~--~---
Re: Security Exploit.
Is there any chance that the security expert would be willing to put together a brief overview of security concerns within Cake? I get overwhelmed with the number and variety of exploits and exploiters out there now. Everywhere I look there seems to be a chink in the armor of every online system. In short, what do I need to know before putting up a Cake-based page for public access? I've been thinking of putting up one of my pages as (what I think is) a nice example of search, but I'm not sure if I can do that without exposing my ISP to an attack. Regards, Clueless in Cleveland --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~--~~~~--~~--~--~---
Re: Security Exploit.
Yes it seems CakePHP has picked up a security expert as this is the second update I have seen for CakePHP security fix. Very nice to have someone interested in CakePHP enough to find them AND report them in a manner that the developers can resolve it. I love CakePHP! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~--~~~~--~~--~--~---
Re: Security Exploit.
Uhm, I was actually looking over the problematic piece of code a while ago too, but I thought you could only retrieve JS scripts you where not supposed to this way and I didn't consider it much of a security issue. Good that it has been fixed and that we have some people who like to look at the security aspects in the framework. Best Regards, Felix Geisendörfer -- http://www.thinkingphp.org http://www.fg-webdesign.de Larry E. Masters aka PhpNut schrieb: There was an security exploit brought to my attention today. I have fixed this exploit in the trunk and branched versions. Please replace the app/webroot/js/vendors.php with this file. https://trac.cakephp.org/browser/trunk/cake/1.x.x.x/app/webroot/js/vendors.php?format=txt This exploit is important to correct since it would allow reading files outside of the vendors/_javascript_ directory when magic_quotes_gpc = Off. Thank you, -- /** * @author Larry E. Masters * @var string $userName * @param string $realName * @returns string aka PhpNut * @access public */ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~--~~~~--~~--~--~---
Security Exploit.
There was an security exploit brought to my attention today. I have fixed this exploit in the trunk and branched versions. Please replace the app/webroot/js/vendors.php with this file. https://trac.cakephp.org/browser/trunk/cake/1.x.x.x/app/webroot/js/vendors.php?format=txtThis exploit is important to correct since it would allow reading files outside of the vendors/_javascript_ directory when magic_quotes_gpc = Off. Thank you,-- /*** @author Larry E. Masters* @var string $userName* @param string $realName* @returns string aka PhpNut* @access public*/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~--~~~~--~~--~--~---