RE: cakephp and security
From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf Of Dee Johnson Sent: Tuesday, October 18, 2011 7:27 PM To: cake-php@googlegroups.com Subject: cakephp and security Hi all, I scanned a cake project with a security program called fortify and it came back with 181 errors associated with using the extract function in the core. Explanation below: Possible Variable Overwrite: Global Scope (Input Validation and Representation, Structural) The program invokes a function that can overwrite global variables, which can open the door for attackers. example is line 870 of configure.php function import($type = null, $name = null, $parent = true, $search = array(), $file = null, $return = false) { $plugin = $directory = null; if (is_array($type)) { extract($type, EXTR_OVERWRITE); } if (is_array($parent)) { extract($parent, EXTR_OVERWRITE); } The application suggests that in all instances where extract is used, to use the argument 'EXTR_SKIP'. Since this would be in place of EXTR_OVERWRITE I was wondering if this would cause any issues considering this is the core and all... ??? Thoughts? Full explanation below source - Recommendations: Prevent functions that can overwrite global variables from doing so in the following ways: - Invoke mb_parse_str(string $encoded_string [, array $result ]) with the second argument, which captures the result of the operation and prevents the function from overwriting global variables. - Invoke extract(array $var_array [, int $extract_type [, string $prefix]]) with the second argument set to EXTR_SKIP, which prevents the function from overwriting global variables that are already defined. Example 2: The following code uses a second argument to mb_parse_str() to mitigate the vulnerability from Example 1. ?php $first=User; ... $str = $_SERVER['QUERY_STRING']; mb_parse_str($str, $output); echo $first; ? References: [1] CWE ID 473, Standards Mapping - Common Weakness Enumeration - (CWE) -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en.
cakephp and security
Hi all, I scanned a cake project with a security program called fortify and it came back with 181 errors associated with using the extract function in the core. *Explanation below:* Possible Variable Overwrite: Global Scope (Input Validation and Representation, Structural) The program invokes a function that can overwrite global variables, which can open the door for attackers. example is line 870 of configure.php function import($type = null, $name = null, $parent = true, $search = array(), $file = null, $return = false) { $plugin = $directory = null; if (is_array($type)) { extract($type, EXTR_OVERWRITE); } if (is_array($parent)) { extract($parent, EXTR_OVERWRITE); } The application suggests that in all instances where extract is used, to use the argument 'EXTR_SKIP'. Since this would be in place of EXTR_OVERWRITE I was wondering if this would cause any issues considering this is the core and all... ??? Thoughts? Full explanation below *source - * *Recommendations:* Prevent functions that can overwrite global variables from doing so in the following ways: - Invoke mb_parse_str(string $encoded_string [, array $result ]) with the second argument, which captures the result of the operation and prevents the function from overwriting global variables. - Invoke extract(array $var_array [, int $extract_type [, string $prefix]]) with the second argument set to EXTR_SKIP, which prevents the function from overwriting global variables that are already defined. Example 2: The following code uses a second argument to mb_parse_str() to mitigate the vulnerability from Example 1. ?php $first=User; ... $str = $_SERVER['QUERY_STRING']; mb_parse_str($str, $output); echo $first; ? References: [1] CWE ID 473, Standards Mapping - Common Weakness Enumeration - (CWE) -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: cakephp and security
What global variables -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: cakephp and security
:) that's what I said, but none the less, I need to fix it. See any issue with changing the argument? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: cakephp and security
Those extract() calls are not in global scope though. They are all function scoped uses. Cake has very few globals, and none are hit with the existing extract calls. -Mark On Oct 18, 12:27 pm, Dee Johnson devario...@gmail.com wrote: Hi all, I scanned a cake project with a security program called fortify and it came back with 181 errors associated with using the extract function in the core. *Explanation below:* Possible Variable Overwrite: Global Scope (Input Validation and Representation, Structural) The program invokes a function that can overwrite global variables, which can open the door for attackers. example is line 870 of configure.php function import($type = null, $name = null, $parent = true, $search = array(), $file = null, $return = false) { $plugin = $directory = null; if (is_array($type)) { extract($type, EXTR_OVERWRITE); } if (is_array($parent)) { extract($parent, EXTR_OVERWRITE); } The application suggests that in all instances where extract is used, to use the argument 'EXTR_SKIP'. Since this would be in place of EXTR_OVERWRITE I was wondering if this would cause any issues considering this is the core and all... ??? Thoughts? Full explanation below *source - * *Recommendations:* Prevent functions that can overwrite global variables from doing so in the following ways: - Invoke mb_parse_str(string $encoded_string [, array $result ]) with the second argument, which captures the result of the operation and prevents the function from overwriting global variables. - Invoke extract(array $var_array [, int $extract_type [, string $prefix]]) with the second argument set to EXTR_SKIP, which prevents the function from overwriting global variables that are already defined. Example 2: The following code uses a second argument to mb_parse_str() to mitigate the vulnerability from Example 1. ?php $first=User; ... $str = $_SERVER['QUERY_STRING']; mb_parse_str($str, $output); echo $first; ? References: [1] CWE ID 473, Standards Mapping - Common Weakness Enumeration - (CWE) -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: cakephp and security
this may be true but I have found that it is fleeting to argue those points. With that being said though, if I were to make the alterations mentioned earlier, would there be a conceivable issue? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: cakephp and security
Dee, Fleeting to who? You can make the changes if you want, but I expect things to fail. You will notice in the methods you find extract being used that the variables are already defined, so once you change the code to not overwrite these the code will not work as expected and will always have the default values set in the method signature. Next you will find we do not use this on user submitted data in the core. What other concerns do you have? -- Larry E. Masters On Tue, Oct 18, 2011 at 12:24 PM, Dee Johnson devario...@gmail.com wrote: this may be true but I have found that it is fleeting to argue those points. With that being said though, if I were to make the alterations mentioned earlier, would there be a conceivable issue? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: cakephp and security
Fleeting basically meaning it's pointless to argue since the security program mandates that all issues it finds are corrected. I can argue the points mentioned earlier but past experience says they will just want them corrected which would leave me in the position of doing what is needed to make the app pass. It sucks that this issue came up since we see that this really is a non issue. :( Any other way of getting around this? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: cakephp and security
I would not do this myself, but you can find all instances of this being used, set a prefix and replace all variables in the code to use your prefix variables. Make sure you set any missing variables that are extracted. Hope you understand what I said above, do not have much time right now to go into details about implementation. -- Larry E. Masters On Tue, Oct 18, 2011 at 12:38 PM, Dee Johnson devario...@gmail.com wrote: Fleeting basically meaning it's pointless to argue since the security program mandates that all issues it finds are corrected. I can argue the points mentioned earlier but past experience says they will just want them corrected which would leave me in the position of doing what is needed to make the app pass. It sucks that this issue came up since we see that this really is a non issue. :( Any other way of getting around this? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: cakephp and security
Yikes. Sounds fair. I will go the route of trying to explain the non issue first and then if that fails to to implement something. Wish me luck -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: cakephp and security
Dee, Have them contact me personally if there are any problems trying to explain it. -- Larry E. Masters On Tue, Oct 18, 2011 at 12:56 PM, Dee Johnson devario...@gmail.com wrote: Yikes. Sounds fair. I will go the route of trying to explain the non issue first and then if that fails to to implement something. Wish me luck -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: cakephp and security
Better yet, (im sure your time is valuable) if you can post a paragraph (or less) on why this isn't an issue that would be greatly beneficial. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: cakephp and security
Ok, give me a few need a break then I can write up a quick response. -- Larry E. Masters On Tue, Oct 18, 2011 at 1:02 PM, Dee Johnson devario...@gmail.com wrote: Better yet, (im sure your time is valuable) if you can post a paragraph (or less) on why this isn't an issue that would be greatly beneficial. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: cakephp and security
Thank you sir :) Cake PHP has the best community of all times -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Cakephp Forms Security Flaw
Nice ... i would say ... it was undocumented for cake1.1 i checked it in core file now .. function save($data = null, $validate = true, $fieldList = array()) { Thanks. On May 4, 3:04 pm, BeroFX ber...@gmail.com wrote: Well, first of all, you need to validate the data before saving it. http://book.cakephp.org/view/125/Data-Validation Then, you might consider sanitizating the submited data http://book.cakephp.org/view/153/Data-Sanitization And then, you can even go ahead and allow only certain fields to be saved http://book.cakephp.org/view/75/Saving-Your-Data The code provided in the tutorial is only to get you to start coding as fast as possible, and then build off that. On May 4, 10:35 am, AzGhanv/. azgha...@gmail.com wrote: I was checking tihs tutorial ...http://book.cakephp.org/view/326/The-Cake-Blog-Tutorial Here I see a big security flaw ... and I think this practice is used throughout the framework. # function add() # { # if (!empty($this-data)) # { # if ($this-Post-save($this-data)) # { # $this-flash('Your post has been saved.','/posts'); # } # } # } We create HTML forms input with name like 'data[Post][field_name]' ... and on post back we can access it using $this-data. and that data array contains array of Post as in our input name. Concern: As value in input field_name directly maps to our DB field, if some one tamper your HTML form by guessing database field name ... we have no checks. I want to know, is there any base solution provided by cakephp, or we have to recheck the posted fields manually again. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Cakephp Forms Security Flaw
I was checking tihs tutorial ... http://book.cakephp.org/view/326/The-Cake-Blog-Tutorial Here I see a big security flaw ... and I think this practice is used throughout the framework. # function add() # { # if (!empty($this-data)) # { # if ($this-Post-save($this-data)) # { # $this-flash('Your post has been saved.','/posts'); # } # } # } We create HTML forms input with name like 'data[Post][field_name]' ... and on post back we can access it using $this-data. and that data array contains array of Post as in our input name. Concern: As value in input field_name directly maps to our DB field, if some one tamper your HTML form by guessing database field name ... we have no checks. I want to know, is there any base solution provided by cakephp, or we have to recheck the posted fields manually again. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Cakephp Forms Security Flaw
Well, first of all, you need to validate the data before saving it. http://book.cakephp.org/view/125/Data-Validation Then, you might consider sanitizating the submited data http://book.cakephp.org/view/153/Data-Sanitization And then, you can even go ahead and allow only certain fields to be saved http://book.cakephp.org/view/75/Saving-Your-Data The code provided in the tutorial is only to get you to start coding as fast as possible, and then build off that. On May 4, 10:35 am, AzGhanv/. azgha...@gmail.com wrote: I was checking tihs tutorial ...http://book.cakephp.org/view/326/The-Cake-Blog-Tutorial Here I see a big security flaw ... and I think this practice is used throughout the framework. # function add() # { # if (!empty($this-data)) # { # if ($this-Post-save($this-data)) # { # $this-flash('Your post has been saved.','/posts'); # } # } # } We create HTML forms input with name like 'data[Post][field_name]' ... and on post back we can access it using $this-data. and that data array contains array of Post as in our input name. Concern: As value in input field_name directly maps to our DB field, if some one tamper your HTML form by guessing database field name ... we have no checks. I want to know, is there any base solution provided by cakephp, or we have to recheck the posted fields manually again. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---