Re: Security Question
On Wed, Mar 13, 2013 at 10:19 PM, Advantage+ movepix...@gmail.com wrote: When I logout of my site it redirects me to /login. If I then hit login (nothing entered in user / pass) I get black-holed. The requested address '/login' was not found on this server. Why is that? It should just show the errors Invalid User / Pass Or validation errors. Not black hole the whole thing. Is debug set to 0? If so, cake throws a 404 on error. There may be something wrong in your code. Set it to 2 and see if it displays an error msg. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Security Question
When I logout of my site it redirects me to /login. If I then hit login (nothing entered in user / pass) I get black-holed. The requested address '/login' was not found on this server. Why is that? It should just show the errors Invalid User / Pass Or validation errors. Not black hole the whole thing. Ideas? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Security question
Security as in secure not the Security component to not confuse anyone. Is it better / more secure / better practise to have a table with password information only ,with fields like user_id, reset_token, question, answer, password, email, attempts and keep plain text (firstname, lastname, so on) in a User table? Just curious. Thanks Dave -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security question
Why do you think this be more secure? -- Larry E. Masters On Tue, Jan 25, 2011 at 3:13 PM, Dave Maharaj m...@davemaharaj.com wrote: Security as in secure not the Security component to not confuse anyone. Is it better / more secure / better practise to have a table with “password” information only ,with fields like user_id, reset_token, question, answer, password, email, attempts and keep plain text (firstname, lastname, so on) in a User table? Just curious. Thanks Dave -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.comcake-php%2bunsubscr...@googlegroups.comFor more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
RE: Security question
I do not think if it is or is not.hence the question. From: Larry E. Masters [mailto:php...@gmail.com] Sent: Tuesday, January 25, 2011 5:49 PM To: cake-php@googlegroups.com Subject: Re: Security question Why do you think this be more secure? -- Larry E. Masters On Tue, Jan 25, 2011 at 3:13 PM, Dave Maharaj m...@davemaharaj.com wrote: Security as in secure not the Security component to not confuse anyone. Is it better / more secure / better practise to have a table with password information only ,with fields like user_id, reset_token, question, answer, password, email, attempts and keep plain text (firstname, lastname, so on) in a User table? Just curious. Thanks Dave -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com mailto:cake-php%2bunsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security question
There is no benefit to doing this. -- Larry E. Masters On Tue, Jan 25, 2011 at 3:23 PM, Dave Maharaj m...@davemaharaj.com wrote: I do not think if it is or is not…hence the question. *From:* Larry E. Masters [mailto:php...@gmail.com] *Sent:* Tuesday, January 25, 2011 5:49 PM *To:* cake-php@googlegroups.com *Subject:* Re: Security question Why do you think this be more secure? -- Larry E. Masters On Tue, Jan 25, 2011 at 3:13 PM, Dave Maharaj m...@davemaharaj.com wrote: Security as in secure not the Security component to not confuse anyone. Is it better / more secure / better practise to have a table with “password” information only ,with fields like user_id, reset_token, question, answer, password, email, attempts and keep plain text (firstname, lastname, so on) in a User table? Just curious. Thanks Dave -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.comcake-php%2bunsubscr...@googlegroups.comFor more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.comcake-php%2bunsubscr...@googlegroups.comFor more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.comcake-php%2bunsubscr...@googlegroups.comFor more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
RE: Security question
Thanks. That's all I needed to know J -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security question
Welcome. You might want to look at this plugin on github too, it might save you some time. https://github.com/CakeDC/users -- Larry E. Masters On Tue, Jan 25, 2011 at 3:32 PM, Dave Maharaj m...@davemaharaj.com wrote: Thanks. That’s all I needed to know J -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.comcake-php%2bunsubscr...@googlegroups.comFor more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Security Question
I am trying to figure out the best way to sanitize and clean data and have it safe, readable and as easy as possible. In my controller I have: $clean = new Sanitize(); $this-data = $clean-clean($this-data); Basic simple clean method. But if a user enters script php echo $something ? When its time to edit they see lt;scriptgt;lt;?php debug#40;$award#41;; ?gt; which is completely unreadable so in the edit form I have ?php echo $form-input(description,array(value=html_entity_decode($this-data[Ev ent][description])));? which converts the crazy characters back to normal readable characters. What are the security issues with this? Saved data is lt;scriptgt;lt;?php debug#40;$award#41;; ?gt; but when its time to edit the record they can read it. Thanks, Dave -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Security Question
I have a this function and was wondering what are the security holes by doing it this way? I am not passing any variables so i do not need to check if this $someVariable = this-Auth You have to be logged in , all the info is pulled from the Auth-User-('id') I could use function personal($id) then compare $id = $this-Auth-User('id') but seems un-needed in this situation Can someone point out any security issues by doing it this way? function personal() { if ($this-RequestHandler-isAjax()) { $id = $this-Auth-user('id'); if (!$id empty($this-data)) { $this-redirect(array('action' = 'index')); } if (!empty($this-data)) { if ($this-User-save($this-data)) { code. } else { code... } } if (empty($this-data)) { .code } } else { $this-redirect('/' . $this-Auth-user('slug')); } } Dave --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security Question
I dont see anything wrong with it, its pretty much a typical action setup. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
RE: Security Question
Thanks for your insight. Dave -Original Message- From: Miles J [mailto:mileswjohn...@gmail.com] Sent: August-06-09 6:04 PM To: CakePHP Subject: Re: Security Question I dont see anything wrong with it, its pretty much a typical action setup. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security question
Hi Dave, In terms of security, my opinion is that your concern should be with how the data is protected rather than the profiles a person can have. I was responsible for the architecture of a major real estate application and we implemented it in a similar way that you mentioned. Each user had profiles which each one representing either property, sale, or rental. Each type of profile had their own table, with a one-to-many relationship from the user. Hope this helps, Richard On Sun, Jul 12, 2009 at 4:27 PM, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: What would be the security holes to watch for in a situation like this Everyone who registers is a user User is then broken up into one of 2 groups depending on what role they select (think of a real estate site where you maybe looking for a home or selling so your either a buyer or seller) There is nothing to really prevent a user from signing up as each as each side of the site is specific for the role they select and no interaction between the 2 really but once you logged in you cant not access the registration form again so sure you can logout and register again but get a new user id so i really do not see any security issues with the idea. But the user hasOne sellerProfile and user hasOne buyerProfile seems to worry me somewhat because the user can only have 1 or the other and not both. I split the profiles simply because the information is so different for each side. Are there issues with this approach? Dave --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security question
If you're not modifying form fields with javascript, AJAX form submissions should have no impact on the use of the Security component and it's ability to prevent CSRF attacks. -j. On May 20, 11:22 pm, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: I am trying to break my application. How can I tell if a logged in user is trying to do the same by using firebug and adding a form to a page? I don't want to just sanitize and all of that...i want to know and ban that specific user. What would be the best approach to determine if a user is trying to submit data that should not be submitted. For example a page that has no form and someone adds a form and tries to submit could I easily check $this-data because there should be none? if(!empty($this-data)) { ...banuser().. } Is there a better method or something already around that can help. Most of my requests are AJAX so for pages with forms the Security component is no good for me. Ideas? Suggestions? Thanks, Dave --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Security question
I am trying to break my application. How can I tell if a logged in user is trying to do the same by using firebug and adding a form to a page? I don't want to just sanitize and all of that...i want to know and ban that specific user. What would be the best approach to determine if a user is trying to submit data that should not be submitted. For example a page that has no form and someone adds a form and tries to submit could I easily check $this-data because there should be none? if(!empty($this-data)) { ...banuser().. } Is there a better method or something already around that can help. Most of my requests are AJAX so for pages with forms the Security component is no good for me. Ideas? Suggestions? Thanks, Dave --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: where to start - basic security question?
Yes, I would say most people use the controller/action/params type urls. Most people's thoughts about passing the action through a POST instead of a GET to make it more secure are moot. You can fake (and modify variables) in a POST request just as easy as you can with GET. Your post indicates that you are aware of verifying user permissions before you do any modifications to the database, so I won't go into that. Typically, a GET request should never modify anything on the server. The default baked controllers in cake still use a GET for the delete action for simplicity, but really they should be POST in a secure application. You are left to implement this yourself (with the help of the RequestHandler/Security components). Cheers, Adam On Jan 13, 9:27 am, SethA satk...@nortel.com wrote: I'm new to all this. It all started with a desire on my part to start building some PHP based apps on my own time. I'm not a programmer by trade, so try to be understanding with me :). After months of [part time] googling, I've become familiar (somewhat) with MVC, why it is important, frameworks, why I should use one, etc. (problem with googling is that in a fluid landscape, often times it is hard to discern obsolete info/articles from contemporary and current best practices) Haven't started anything yet due to my perfectionism wanting to do it right the first time. I've finally gotten myself to the point of taking that leap, and I think I am ready. Not wanting to write spaghetti PHP just to have to redo later in a better way it once I get my feet wet Up till now, I've just been finding my way by stumbling across this blog, that article, yada yada. This is my first time posting anywhere to ask specific questions that are troubling me. I've been trying to find a good framework, what do most people use these days, yada, yada. Yeah, I know probably a stupid question. I have looked at Phrame (I know...) because some [old] articles I read during my research used it as an example for MVC based apps. I was tempted to build my first app with it, but decided that due to its apparent lack of maintenance and aging state (uses PHP4), I should find out what else is out there. Stumbled across CakePHP, and this seems like a good place to begin (at least). I haven't completely settled on this as my choice to dive in and am hoping the answer I get can help me fully decide. S, anywho... here goes. What is bothering me as I have begun looking through the docs and the example blog app is this: I see that the basic mechanism for the web app to trigger various actions and so forth is to use URLs of this form site.com/controller/action/param1/ param2. I fully accept that I may be the idiot of the year for asking whether I am wrong in thinking that this is a basic security problem? I personally don't want to expose this to an end user. I guess I am thinking that anyone could attempt to type a desired action into the address bar whether or not the application should allow them to take that action. For example, /posts/delete/52. Obviously you could/should build the logic into the controller to check the rights for the user to take an action, in this case maybe delete a particular blog post, only if the user has rights to do so. That goes without saying, and I consider a must anyway. But I would still prefer to not even expose the application controller logic at all to the end user if that is possible. I would assume that CakePHP can just as easily use POST variables to contain the action and params and then a redirect to avoid the browser refresh issue that POST tends to create. Is this assumption correct? Am I crazy for even worrying about this? I'm curious if most people just follow the generic CakePHP convention for URLs (controller/action/params), or if there is something that is a better practice to implement. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: where to start - basic security question?
If you don't like the default {controller/action/params} shape then CakePHP accepts your own custome URLs by using URL Routes, check this out Custom URLs from the Site Roothttp://bakery.cakephp.org/articles/view/custom-urls-from-the-site-root . Moreover, having controller name, action, and params explicitly viewable by the users is not a security issue because even if you hide them they will be viewable by a lot of tools that give you a lot of information about client - server transactions, like live HTTP headerhttps://addons.mozilla.org/en-US/firefox/addon/3829 plugin for FireFox. The real security land is your server, where you need to protect your self from SQL injections, XSS ... etc, and for this reason CakePHP provides you with a very nice built in tools to satisfy this objective, like the Security Component http://book.cakephp.org/view/324/The-Security-Component, and the Sanitize Classhttp://book.cakephp.org/view/321/Data-Sanitation-The-Sanitize-Classand a lot of more! On Mon, Jan 12, 2009 at 6:27 PM, SethA satk...@nortel.com wrote: I'm new to all this. It all started with a desire on my part to start building some PHP based apps on my own time. I'm not a programmer by trade, so try to be understanding with me :). After months of [part time] googling, I've become familiar (somewhat) with MVC, why it is important, frameworks, why I should use one, etc. (problem with googling is that in a fluid landscape, often times it is hard to discern obsolete info/articles from contemporary and current best practices) Haven't started anything yet due to my perfectionism wanting to do it right the first time. I've finally gotten myself to the point of taking that leap, and I think I am ready. Not wanting to write spaghetti PHP just to have to redo later in a better way it once I get my feet wet Up till now, I've just been finding my way by stumbling across this blog, that article, yada yada. This is my first time posting anywhere to ask specific questions that are troubling me. I've been trying to find a good framework, what do most people use these days, yada, yada. Yeah, I know probably a stupid question. I have looked at Phrame (I know...) because some [old] articles I read during my research used it as an example for MVC based apps. I was tempted to build my first app with it, but decided that due to its apparent lack of maintenance and aging state (uses PHP4), I should find out what else is out there. Stumbled across CakePHP, and this seems like a good place to begin (at least). I haven't completely settled on this as my choice to dive in and am hoping the answer I get can help me fully decide. S, anywho... here goes. What is bothering me as I have begun looking through the docs and the example blog app is this: I see that the basic mechanism for the web app to trigger various actions and so forth is to use URLs of this form site.com/controller/action/param1/ param2 http://site.com/controller/action/param1/param2. I fully accept that I may be the idiot of the year for asking whether I am wrong in thinking that this is a basic security problem? I personally don't want to expose this to an end user. I guess I am thinking that anyone could attempt to type a desired action into the address bar whether or not the application should allow them to take that action. For example, /posts/delete/52. Obviously you could/should build the logic into the controller to check the rights for the user to take an action, in this case maybe delete a particular blog post, only if the user has rights to do so. That goes without saying, and I consider a must anyway. But I would still prefer to not even expose the application controller logic at all to the end user if that is possible. I would assume that CakePHP can just as easily use POST variables to contain the action and params and then a redirect to avoid the browser refresh issue that POST tends to create. Is this assumption correct? Am I crazy for even worrying about this? I'm curious if most people just follow the generic CakePHP convention for URLs (controller/action/params), or if there is something that is a better practice to implement. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: where to start - basic security question?
I think I should clarify. I think Adam correctly understood what I was trying to get at. For further context, look at the blog example code and how they use the HTML helper to craft the links to actions like deleting posts, creating posts, etc. So you get a delete link that when you hover you see a URL that you could copy into the address bar, modify parameters and press enter. Even my mom could notice the connections :-). I fully understand that tools abound to discover things that are slightly better hidden. Heck, even with POST, someone can just look at the page source and see the action, etc. And I have no doubt that tools for forging POST info exist. And yes, I totally agree that to thwart a determined hacker you have to have server side security to prevent SQL injection, etc. I fully plan to implement all that. Who knows, maybe I miss something somewhere. I guess I just don't like the hover effect making it clear to any average Joe that if they just type in a crafter URL into the toolbar, they might be able to cheat my app. Hopefully all my server side controls will prevent that, but then I will have to create all the pages that inform the user they aren't authorized to call that action from where they are at, yada, yada. If I just contain the actions that do stuff to POST input, I can discourage the creative exploration and temptation to try this that people like me tend to do when they see the app logic so blatantly exposed through hyperlinks which you can just hover over. I think the answer I am getting from Adam is what I was thinking. Use POST for actions that do stuff to the database, regular URL based actions for just simple viewing type actions. ...And know that that is not security, at least not real security, but just a simple frontline measure to discourage the average attempt at tampering. What I am getting from Miles is the authorization mechanisms to implement on the server side, which is part B to the answer. I see that, for example, I can limit it so that an action is only callable by a POST, so even if someone figures out how to craft a URL, it won't work because the Cake won't allow it. But that means that the view that allows the user to select that action CANNOT use the typical URL based linking (as in the blog example), which goes back to my original question, of whether the blog example is typical for a real world app that allows data modification, or just instructive to show how things are linked up in CakePHP. Thanks all! I think that answers what I was looking for. Particularly, thanks Adam. Spot on what I was looking for. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
where to start - basic security question?
I'm new to all this. It all started with a desire on my part to start building some PHP based apps on my own time. I'm not a programmer by trade, so try to be understanding with me :). After months of [part time] googling, I've become familiar (somewhat) with MVC, why it is important, frameworks, why I should use one, etc. (problem with googling is that in a fluid landscape, often times it is hard to discern obsolete info/articles from contemporary and current best practices) Haven't started anything yet due to my perfectionism wanting to do it right the first time. I've finally gotten myself to the point of taking that leap, and I think I am ready. Not wanting to write spaghetti PHP just to have to redo later in a better way it once I get my feet wet Up till now, I've just been finding my way by stumbling across this blog, that article, yada yada. This is my first time posting anywhere to ask specific questions that are troubling me. I've been trying to find a good framework, what do most people use these days, yada, yada. Yeah, I know probably a stupid question. I have looked at Phrame (I know...) because some [old] articles I read during my research used it as an example for MVC based apps. I was tempted to build my first app with it, but decided that due to its apparent lack of maintenance and aging state (uses PHP4), I should find out what else is out there. Stumbled across CakePHP, and this seems like a good place to begin (at least). I haven't completely settled on this as my choice to dive in and am hoping the answer I get can help me fully decide. S, anywho... here goes. What is bothering me as I have begun looking through the docs and the example blog app is this: I see that the basic mechanism for the web app to trigger various actions and so forth is to use URLs of this form site.com/controller/action/param1/ param2. I fully accept that I may be the idiot of the year for asking whether I am wrong in thinking that this is a basic security problem? I personally don't want to expose this to an end user. I guess I am thinking that anyone could attempt to type a desired action into the address bar whether or not the application should allow them to take that action. For example, /posts/delete/52. Obviously you could/should build the logic into the controller to check the rights for the user to take an action, in this case maybe delete a particular blog post, only if the user has rights to do so. That goes without saying, and I consider a must anyway. But I would still prefer to not even expose the application controller logic at all to the end user if that is possible. I would assume that CakePHP can just as easily use POST variables to contain the action and params and then a redirect to avoid the browser refresh issue that POST tends to create. Is this assumption correct? Am I crazy for even worrying about this? I'm curious if most people just follow the generic CakePHP convention for URLs (controller/action/params), or if there is something that is a better practice to implement. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: where to start - basic security question?
You can simple allow/deny users from viewing certain actions depending on their user/login status. http://book.cakephp.org/view/172/Authentication http://book.cakephp.org/view/175/Security-Component --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security question: AuthComponent and passwords
http://api.cakephp.org/class_auth_component.html#216d4deefcd62ffeac5d9334b9cc2614 On Oct 11, 5:24 am, Bernhard J. M. Grün [EMAIL PROTECTED] wrote: Hi! Is it correct that the passwords created with the help of the AuthComponent are not public hashed (i.e. only secret hashed)? At least in my test app it seems to be like that. If so this is a major security hole. Example: User Alice has password test: 2dd357c503a6812e276096a306cca02852cc1e4f User Bob has the same password: 2dd357c503a6812e276096a306cca02852cc1e4f Now hacker Charlie becomes access to the database. He sees that both passwords are identical. So it is much easier for him to break in. If user Alice for example uses her password for other websites and hacker Charlie gets that password also user Bob's account is lost. IMHO there is a reason why Unix, *BSD, Linux, OSX, ... uses a public salt for their passwords. Maybe CakePHP should do the same. So the correct way for passwords is: crypt(crypt('password', 'secretsalt'), 'publicsalt') where publicsalt is concatenated at front of the crypted password. -- Bernhard J. M. Grün --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security question: AuthComponent and passwords
Hi! Thanks for your response. I already know that Security::hash() is used to generate the hash. But the problem is that the hash is insecure (for passwords) in my eyes. The reason is that two passwords encrypt to the same hash (given the secret salt is the same which is the case). -- Bernhard J. M. Grün 2008/10/12 [EMAIL PROTECTED] [EMAIL PROTECTED] http://api.cakephp.org/class_auth_component.html#216d4deefcd62ffeac5d9334b9cc2614 On Oct 11, 5:24 am, Bernhard J. M. Grün [EMAIL PROTECTED] wrote: Hi! Is it correct that the passwords created with the help of the AuthComponent are not public hashed (i.e. only secret hashed)? At least in my test app it seems to be like that. If so this is a major security hole. Example: User Alice has password test: 2dd357c503a6812e276096a306cca02852cc1e4f User Bob has the same password: 2dd357c503a6812e276096a306cca02852cc1e4f Now hacker Charlie becomes access to the database. He sees that both passwords are identical. So it is much easier for him to break in. If user Alice for example uses her password for other websites and hacker Charlie gets that password also user Bob's account is lost. IMHO there is a reason why Unix, *BSD, Linux, OSX, ... uses a public salt for their passwords. Maybe CakePHP should do the same. So the correct way for passwords is: crypt(crypt('password', 'secretsalt'), 'publicsalt') where publicsalt is concatenated at front of the crypted password. -- Bernhard J. M. Grün --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security question: AuthComponent and passwords
in rc3 i've big problem witch auth component ; On 12 Paź, 19:00, Bernhard J. M. Grün [EMAIL PROTECTED] wrote: Hi! Thanks for your response. I already know that Security::hash() is used to generate the hash. But the problem is that the hash is insecure (for passwords) in my eyes. The reason is that two passwords encrypt to the same hash (given the secret salt is the same which is the case). -- Bernhard J. M. Grün 2008/10/12 [EMAIL PROTECTED] [EMAIL PROTECTED] http://api.cakephp.org/class_auth_component.html#216d4deefcd62ffeac5d... On Oct 11, 5:24 am, Bernhard J. M. Grün [EMAIL PROTECTED] wrote: Hi! Is it correct that the passwords created with the help of the AuthComponent are not public hashed (i.e. only secret hashed)? At least in my test app it seems to be like that. If so this is a major security hole. Example: User Alice has password test: 2dd357c503a6812e276096a306cca02852cc1e4f User Bob has the same password: 2dd357c503a6812e276096a306cca02852cc1e4f Now hacker Charlie becomes access to the database. He sees that both passwords are identical. So it is much easier for him to break in. If user Alice for example uses her password for other websites and hacker Charlie gets that password also user Bob's account is lost. IMHO there is a reason why Unix, *BSD, Linux, OSX, ... uses a public salt for their passwords. Maybe CakePHP should do the same. So the correct way for passwords is: crypt(crypt('password', 'secretsalt'), 'publicsalt') where publicsalt is concatenated at front of the crypted password. -- Bernhard J. M. Grün --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Security question: AuthComponent and passwords
Hi! Is it correct that the passwords created with the help of the AuthComponent are not public hashed (i.e. only secret hashed)? At least in my test app it seems to be like that. If so this is a major security hole. Example: User Alice has password test: 2dd357c503a6812e276096a306cca02852cc1e4f User Bob has the same password: 2dd357c503a6812e276096a306cca02852cc1e4f Now hacker Charlie becomes access to the database. He sees that both passwords are identical. So it is much easier for him to break in. If user Alice for example uses her password for other websites and hacker Charlie gets that password also user Bob's account is lost. IMHO there is a reason why Unix, *BSD, Linux, OSX, ... uses a public salt for their passwords. Maybe CakePHP should do the same. So the correct way for passwords is: crypt(crypt('password', 'secretsalt'), 'publicsalt') where publicsalt is concatenated at front of the crypted password. -- Bernhard J. M. Grün --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Custom Validate for search - security question
Hi, I'm performing a search the following way function searchform() { // Displays searchform } function search_redirect() { // redirect to get values $this-redirect(/results/.$this-data['Search']['searchvalue1']./. $this-data['Search']['searchvalue2']./.$this-data['Search'] ['searchvalue3']); } function results( $searchvalue1, $searchvalue2, $searchvalue3 ) { // Displays results } Originally i wanted to ask whether it is a security problem to validate just before redirect, or validate in the results action. Is there a possibility to catch (and hijack) the programflow, at the intern redirect. But with writing it down, it's sure that someone could change the GET Values and just reload. So that leads me to another question: Is there a way to guarantee that results is only redirected from action search_redirect? and not accessed direct? Can I check this ? Perhaps with refererer ? Regards, Alexander --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Security question
Hi there, A newbie question, so sorry if this is easy. I had a look through the forum and didn't see the answer. I have an area on my app where the user votes by clicking on an image. Via AJAX, this updates a DIV with stats elsewhere on the page. The link looks like this: http://domain.com/competitions/vote/27 How do I prevent someone from voting by manually entering this URL? Should I change the voting area to a form? I noticed there was a security component on the forum but some folks weren't happy with it. I'm sure everyone's had a similar situation in their app. How did you go about securing it? Cheers, Wilson --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security question
You can indeed make a form, but a post can also be tricked. This thread shows some solutions about this, especially the GET with some hashing mD5: http://groups.google.com/group/cake-php/browse_thread/thread/76dfe9536d8a761e/2713f28a4995c203?lnk=gstq=delete+get+methodrnum=10#2713f28a4995c203 On Jun 30, 5:25 pm, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi there, A newbie question, so sorry if this is easy. I had a look through the forum and didn't see the answer. I have an area on my app where the user votes by clicking on an image. Via AJAX, this updates a DIV with stats elsewhere on the page. The link looks like this: http://domain.com/competitions/vote/27 How do I prevent someone from voting by manually entering this URL? Should I change the voting area to a form? I noticed there was a security component on the forum but some folks weren't happy with it. I'm sure everyone's had a similar situation in their app. How did you go about securing it? Cheers, Wilson --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security question
On 6/30/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi there, A newbie question, so sorry if this is easy. I had a look through the forum and didn't see the answer. I have an area on my app where the user votes by clicking on an image. Via AJAX, this updates a DIV with stats elsewhere on the page. The link looks like this: http://domain.com/competitions/vote/27 How do I prevent someone from voting by manually entering this URL? Should I change the voting area to a form? I noticed there was a security component on the forum but some folks weren't happy with it. I'm sure everyone's had a similar situation in their app. How did you go about securing it? Cheers, Wilson Maybe you can try isAjax method (please refer to CakeManual) I never use it, but I think it worth to try... :) -- Y!M id: riky.kurniawan LinkedIn: http://www.linkedin.com/in/rikykurniawan Friendster: http://www.friendster.com/rikyknwn Personal blog: http://riky.kurniawan.us --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---