Re: Security issue with Model-save() when adding data (Cake 1.2)
On 9/4/07, J. Eckert [EMAIL PROTECTED] wrote: Hi there, There seems to be a security issue with the Model-save() function in Cake 1.2 if you are adding data through a form. I don't know if you already checked it out, but there is a Security component that I think might help alleviate some of your fears about the exact type of attack you are talking about: http://manual.cakephp.org/chapter/security There have also been a few threads on this mailing list about it as well, so I also suggest searching those out via the Google Groups interface. Hope that helps. -- Chris Hartjes Senior Developer Cake Development Corporation My motto for 2007: Just build it, damnit! @TheBallpark - http://www.littlehart.net/attheballpark @TheKeyboard - http://www.littlehart.net/atthekeyboard --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security issue with Model-save() when adding data (Cake 1.2)
You could also hash your id in an hidden field, and when receiving the form, hash again the id and compare with the hidden hashed field. To trick you would have to find the hash string also ..a bit harder. That with the Security should cover your needs. Hope this helps On Sep 4, 7:00 pm, Chris Hartjes [EMAIL PROTECTED] wrote: On 9/4/07, J. Eckert [EMAIL PROTECTED] wrote: Hi there, There seems to be a security issue with the Model-save() function in Cake 1.2 if you are adding data through a form. I don't know if you already checked it out, but there is a Security component that I think might help alleviate some of your fears about the exact type of attack you are talking about: http://manual.cakephp.org/chapter/security There have also been a few threads on this mailing list about it as well, so I also suggest searching those out via the Google Groups interface. Hope that helps. -- Chris Hartjes Senior Developer Cake Development Corporation My motto for 2007: Just build it, damnit! @TheBallpark -http://www.littlehart.net/attheballpark @TheKeyboard -http://www.littlehart.net/atthekeyboard --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security issue with Model-save() when adding data (Cake 1.2)
My proposed fix in the trac ticket is that if there is a fieldList
parameter, 'id' has to be in that list otherwise it won't be set.
I think this is really important as a default behaviour for cake. It's
rather confusing that you have a whitelist but 'id' gets thru. It's
dangerous. Just to make shure you understand what happens:
You have an add method in your controller:
function add() {
$this-Model-create();
$this-Model-save($this-data, true, array('field1,'field2'));
}
So if someone adds an 'id' field in your add form your add method
overwrite existing record, despite you used create() and a whitelist.
Don't get me wrong the above sample is just very simplified.
Cheers,
Timo
On 9/4/07, francky06l [EMAIL PROTECTED] wrote:
You could also hash your id in an hidden field, and when receiving the
form, hash again the id and compare with the hidden hashed field. To
trick you would have to find the hash string also ..a bit harder. That
with the Security should cover your needs.
Hope this helps
On Sep 4, 7:00 pm, Chris Hartjes [EMAIL PROTECTED] wrote:
On 9/4/07, J. Eckert [EMAIL PROTECTED] wrote:
Hi there,
There seems to be a security issue with the Model-save() function in
Cake 1.2 if you are adding data through a form.
I don't know if you already checked it out, but there is a Security
component that I think might help alleviate some of your fears about
the exact type of attack you are talking about:
http://manual.cakephp.org/chapter/security
There have also been a few threads on this mailing list about it as
well, so I also suggest searching those out via the Google Groups
interface.
Hope that helps.
--
Chris Hartjes
Senior Developer
Cake Development Corporation
My motto for 2007: Just build it, damnit!
@TheBallpark -http://www.littlehart.net/attheballpark
@TheKeyboard -http://www.littlehart.net/atthekeyboard
--
Timo Derstappen
http://teemow.com
mailto:[EMAIL PROTECTED]
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups Cake
PHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
