Re: Security issue with Model-save() when adding data (Cake 1.2)
On 9/4/07, J. Eckert [EMAIL PROTECTED] wrote: Hi there, There seems to be a security issue with the Model-save() function in Cake 1.2 if you are adding data through a form. I don't know if you already checked it out, but there is a Security component that I think might help alleviate some of your fears about the exact type of attack you are talking about: http://manual.cakephp.org/chapter/security There have also been a few threads on this mailing list about it as well, so I also suggest searching those out via the Google Groups interface. Hope that helps. -- Chris Hartjes Senior Developer Cake Development Corporation My motto for 2007: Just build it, damnit! @TheBallpark - http://www.littlehart.net/attheballpark @TheKeyboard - http://www.littlehart.net/atthekeyboard --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security issue with Model-save() when adding data (Cake 1.2)
You could also hash your id in an hidden field, and when receiving the form, hash again the id and compare with the hidden hashed field. To trick you would have to find the hash string also ..a bit harder. That with the Security should cover your needs. Hope this helps On Sep 4, 7:00 pm, Chris Hartjes [EMAIL PROTECTED] wrote: On 9/4/07, J. Eckert [EMAIL PROTECTED] wrote: Hi there, There seems to be a security issue with the Model-save() function in Cake 1.2 if you are adding data through a form. I don't know if you already checked it out, but there is a Security component that I think might help alleviate some of your fears about the exact type of attack you are talking about: http://manual.cakephp.org/chapter/security There have also been a few threads on this mailing list about it as well, so I also suggest searching those out via the Google Groups interface. Hope that helps. -- Chris Hartjes Senior Developer Cake Development Corporation My motto for 2007: Just build it, damnit! @TheBallpark -http://www.littlehart.net/attheballpark @TheKeyboard -http://www.littlehart.net/atthekeyboard --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security issue with Model-save() when adding data (Cake 1.2)
My proposed fix in the trac ticket is that if there is a fieldList parameter, 'id' has to be in that list otherwise it won't be set. I think this is really important as a default behaviour for cake. It's rather confusing that you have a whitelist but 'id' gets thru. It's dangerous. Just to make shure you understand what happens: You have an add method in your controller: function add() { $this-Model-create(); $this-Model-save($this-data, true, array('field1,'field2')); } So if someone adds an 'id' field in your add form your add method overwrite existing record, despite you used create() and a whitelist. Don't get me wrong the above sample is just very simplified. Cheers, Timo On 9/4/07, francky06l [EMAIL PROTECTED] wrote: You could also hash your id in an hidden field, and when receiving the form, hash again the id and compare with the hidden hashed field. To trick you would have to find the hash string also ..a bit harder. That with the Security should cover your needs. Hope this helps On Sep 4, 7:00 pm, Chris Hartjes [EMAIL PROTECTED] wrote: On 9/4/07, J. Eckert [EMAIL PROTECTED] wrote: Hi there, There seems to be a security issue with the Model-save() function in Cake 1.2 if you are adding data through a form. I don't know if you already checked it out, but there is a Security component that I think might help alleviate some of your fears about the exact type of attack you are talking about: http://manual.cakephp.org/chapter/security There have also been a few threads on this mailing list about it as well, so I also suggest searching those out via the Google Groups interface. Hope that helps. -- Chris Hartjes Senior Developer Cake Development Corporation My motto for 2007: Just build it, damnit! @TheBallpark -http://www.littlehart.net/attheballpark @TheKeyboard -http://www.littlehart.net/atthekeyboard -- Timo Derstappen http://teemow.com mailto:[EMAIL PROTECTED] --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---