http://localhost/CakePHP/cakeBlog/posts/delete/1
1 can be anything
What if a cracker visits http://localhost/CakePHP/cakeBlog/posts/delete/'all'
or something like that?
How are you protecting your site?
What would an explanation look like in the manual about denying any
argument like 'all' fro
@mlix
changeset 7979 fixed the issue.
Security prevents CSRF and ensures that form inputs properly match the
values being submitted.
@Pyrite
im so sorry. I don't really have a way around your IE7 problem, short
of storming the castle and demanding your work instal
Is there a way to test this CVE without Firefox? I do not have the
option of Firefox at work. Only IE7.
On Jan 16, 4:14 pm, Gwoo wrote:
> After the release of 1.2 Final, we received a lot of attention. Some
> of this came in the form of a security concern. The issue could affect
> site
Is there a link to the details of the security concern? I know it's
fixed now but I'm interested if I should always use the Security
Component and what the implication is if I don't.
Tried googling and looking in Trac but I can't seem to find out what
the problem was.
On Ja
Thanks for the heads-up.
Updating now...
On Jan 16, 11:14 pm, Gwoo wrote:
> After the release of 1.2 Final, we received a lot of attention. Some
> of this came in the form of a security concern. The issue could affect
> sites relying on the AuthComponent for user authentication, with
After the release of 1.2 Final, we received a lot of attention. Some
of this came in the form of a security concern. The issue could affect
sites relying on the AuthComponent for user authentication, without
the use of the SecurityComponent. Essentially, an attacker may be able
to obtain
action, etc. And I have no doubt that
tools for forging POST info exist. And yes, I totally agree that to
thwart a determined hacker you have to have server side security to
prevent SQL injection, etc. I fully plan to implement all that. Who
knows, maybe I miss something somewhere.
I guess I just don
ler name, action, and params explicitly viewable by
the users is not a security issue because even if you hide them they will be
viewable by a lot of tools that give you a lot of information about "client
- server" transactions, like "live HTTP
header<https://addons.mozilla.org/en-US/
eally they should be POST in a secure
application. You are left to implement this yourself (with the help of
the RequestHandler/Security components).
Cheers,
Adam
On Jan 13, 9:27 am, SethA wrote:
> I'm new to all this. It all started with a desire on my part to start
> building some PHP
You can simple allow/deny users from viewing certain actions depending
on their user/login status.
http://book.cakephp.org/view/172/Authentication
http://book.cakephp.org/view/175/Security-Component
--~--~-~--~~~---~--~~
You received this message because you are
for the web app to trigger various actions and so
forth is to use URLs of this form "site.com/controller/action/param1/
param2". I fully accept that I may be the idiot of the year for asking
whether I am wrong in thinking that this is a basic security problem?
I personally don't want
I am using the Security component, and it works great, except when I
load a form via AJAX, the token fields are not being written in the
form. I'm using the form helper. Also note the action that renders
the form is in a different controller, so not sure if that's part of
the probl
Hello! first at all, thanks for your attention!
I have a very weird problem, this is it: I have a Javascript file
(AJAX) that is sending a XMLHttpRequest via POST to a cakephp-
controller with has the Auth component implemented and a beforeFilter
function too; but when the request is made via AJA
Hello,
I have problem with Security Component. As soon as I add Security to the
component array, I get the blank page back when trying to add, delete or
update. I’m doing this in my AppController. I’m using a newer version of
Cake (nightly 1.2). please advise me how can I figure out this problem
Same problem here, almost lost faith till i found this.
Here is another link describing the problem:
http://www.nabble.com/Multiple-Select-Issues-td20616571.html
Any ideas about a fix...
On Nov 22, 1:55 am, etipaced <[EMAIL PROTECTED]> wrote:
> Thanks for the insight, Nate. I'm having the same i
If the security level is set to medium and the browser is closed, the
user session is not deleted. So when opening the browser again after a
few minutes, the user still has access to the authorized pages without
logging in again.
My question is, if the browser is kept closed long enough, will
You should be fine from SQL injection if you cakes conventions. That
part is built in. But you need to implement the security component and
the sanitize class. You can find information on implementing those in
the docs. I font think there are any security issues with the acl. Not
sure on the
I was thinking that Cake was at least automatically sanitizing the
post variables and the like. I can't believe that there isn't more
info on security on the cake website.
How secure are the login and ACL components? Can I rely on them to be
solid?
T
Security is something that is left to the developer to implement. If
you follow conventions you can avoid sql injection attacks. If you use
the Security component you can prevent CSRFattacks. If you use proper
methods to escape any user input you can prevent XSS attacks.
So cakephp has features
I am looking for a webpage or something that details what security
issues Cake handles. Customers ask how secure their sites are going to
be and I assure them that since I'm using the CakePHP framework that
their site is being built on a secure foundation. I need some details
though. I l
Thanks for the insight, Nate. I'm having the same issue and just
downloaded the build from 2008-11-21 but it didn't resolve it for me.
FYI.
On Oct 31, 12:12 pm, Nate <[EMAIL PROTECTED]> wrote:
> There were a couple of bug fixes related to this issue that got
> committed just recently. If you're
Okay, I found the solution!
I needed to set cake security to medium instead of high, so that the
session_id isn't regenerated upon every request.
That's my solution for now anyway. It works!
--~--~-~--~~~---~--~~
You received this message becau
Update: I was able to pinpoint that the issue is in fact a session
issue. I created a smaller test case to verify this, although I still
don't know what the solution is.
When I submit the form to the server, it saves some values in the
session, but then when it redirects, the session variables ar
Thanks for the reply. Here is the login function code. (see below) I
have verified that it is at least getting to this function, and the
Authentication component is finding and returning the user properly.
Yes, I am redirecting at the end of the function.
Is there some trouble then, with having s
If I had to guess, I'd say it was because of the way that URL rewrites
and sessions are handled in CakePHP.
Perhaps if you share a view of the code and where it's failing, it
might make more sense.
Do you have a redirect at the end of the login function?
--~--~-~--~~~---
site.
This remote login form works great if it's done from the same server
(so, locally, not remotely), but if the form is placed on a remote
server, and you try to login, permission is denied.
I'm just wondering if there's something in Cake's security component,
or something
may be a config issues there, but my doc root is
> set correct on my 443 VH.
>
> On Nov 7, 12:43 pm, rgreenphotodesign <[EMAIL PROTECTED]>
> wrote:
>
> > Hi All,
>
> > I'm working on implementing the security component for the follow
> > functionali
If it helps, I'm running a Linux server with Ubuntu. Apache set up as
virtual hosts. So it may be a config issues there, but my doc root is
set correct on my 443 VH.
On Nov 7, 12:43 pm, rgreenphotodesign <[EMAIL PROTECTED]>
wrote:
> Hi All,
>
> I'm working on
Hi All,
I'm working on implementing the security component for the follow
functionality:
My site will have a "donate" page that will accept CC's and such so
need to be https://.
In my controller I'm using the beforeFilter with requireSecure and the
action I'm
Ratproxy and Chorizo
But this is kinda off topic for this list
HTH
Tarique
On Wed, Nov 5, 2008 at 4:05 AM, validkeys
<[EMAIL PROTECTED]> wrote:
>
> Anyone have a good recommendation for a web app scanner?
> >
>
--
=
Cheesecake-P
Anyone have a good recommendation for a web app scanner?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group,
a problem with the Security Component on one of my
> actions. It works on most, but this one action is quiet complex. I'm
> not even sure what the problem could possible be. So rather than
> asking what the problem is with my action, I would rather ask if there
> is any inform
I'm having a bit of a problem with the Security Component on one of my
actions. It works on most, but this one action is quiet complex. I'm
not even sure what the problem could possible be. So rather than
asking what the problem is with my action, I would rather ask if there
is any i
27;ve done it I needed to argue about it... and sometimes it takes a
lot of effort (specially for me since my mother tongue is another than
English).
Best regards,
B.
On 21 oct, 02:11, "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]> wrote:
> I don't use much ajax in my current w
I don't use much ajax in my current work.
I do use Security Component, though. What might show you the right
direction is how Security works on forms to prevent outside requests.
Just by including the component in your controller Cake will add a
hash to your form. If the form is posted wi
Hello...
I have added this to my app_controller:
var $components = array('Auth', 'Security');
Then in one of my controllers I have:
$this->Security->requireAuth('add', 'add_streams');
$this->Security->allowedActions = array('ajax_c
in rc3 i've big problem witch auth component ;<
On 12 Paź, 19:00, "Bernhard J. M. Grün"
<[EMAIL PROTECTED]> wrote:
> Hi!
>
> Thanks for your response.
> I already know that Security::hash() is used to generate the hash. But the
> problem is that the hash
Hi!
Thanks for your response.
I already know that Security::hash() is used to generate the hash. But the
problem is that the hash is insecure (for passwords) in my eyes. The reason
is that two passwords encrypt to the same hash (given the secret salt is the
same which is the case).
-- Bernhard J
nly secret hashed)? At least in my test app it
> seems to be like that.
> If so this is a major security hole.
> Example:
> User Alice has password "test": 2dd357c503a6812e276096a306cca02852cc1e4f
> User Bob has the same password: 2dd357c503a6812e276096a306cca02852cc1e4f
&g
Hi!
Is it correct that the passwords created with the help of the AuthComponent
are not public hashed (i.e. only secret hashed)? At least in my test app it
seems to be like that.
If so this is a major security hole.
Example:
User Alice has password "test": 2dd357c503a6812e276096a306cca0
i have multiple forms in one page. when I add var
$components=array('Security'); component (without doing anything else), it
does not work. i notice that it only adds the security token to the first
form on the page. How do I get it on all of the form
i have multiple forms in one page. when I add var
$components=array('Security'); component (without doing anything else), i
notice that it only adds the security token to the first form on the page.
How do I get it on all of the form
I'm trying to use the security component, but I'm having some problems
when I try to customize my forms on the edit and add views. If I
change any options in the options array of the form helper, the page
will just reload itself instead of actually doing the update. Here is
the code fr
Can you give more details about what you had to do to fix this?
On Sun, Jul 20, 2008 at 2:24 PM, Mathachew <[EMAIL PROTECTED]> wrote:
>
> I found out what the issue was. I was trying to use the security
> component without creating all form items in the form helper.
>
&g
I found out what the issue was. I was trying to use the security
component without creating all form items in the form helper.
On Jul 19, 7:19 pm, Mathachew <[EMAIL PROTECTED]> wrote:
> I was advised to add the Security Component to my controller to have
> automatic protection for
I was advised to add the Security Component to my controller to have
automatic protection for my submitted forms. However, when I tell my
controller to use the Security Component and submit a form, I get the
following error:
Notice (8): Undefined index: key [CORE_1.2.0.7296-rc2/cake/libs
Hey Folks,
I'm trying to use the Security component for a simple HTTP
authentication on a single item in my Cake App, and I'm having trouble
getting a proper error message to display upon incorrect login or when
I cancel the login. At the moment, I just a blank page when I would
I use the Security component in a few controllers. I have had no
problems with any of these but one of my clients is not able to get a
particular controller to work. The same snippet is used in 4
controllers and the client has problems with only the
VolunteerInterest controller.
Here is my
I think you can also do this globally for a model using its $whitelist
field.
On Jul 5, 7:11 am, "Dr. Tarique Sani" <[EMAIL PROTECTED]> wrote:
> On Sat, Jul 5, 2008 at 11:37 AM, phpjoy <[EMAIL PROTECTED]> wrote:
>
> > Throughout the examples in the manual (1.2 and 1.1), I haven't noticed
> > any
On Sat, Jul 5, 2008 at 11:37 AM, phpjoy <[EMAIL PROTECTED]> wrote:
>
> Throughout the examples in the manual (1.2 and 1.1), I haven't noticed
> any reminder of that possible risk, though I noticed the bad
>
http://api.cakephp.org/1.2/class_model.html#ebe42ae387be89985b5a35dd428f5c81
Notice the t
When getting a form from a user, it should be double checked in the
user's action logic.
A user could easily manipulate a form field to submit a new field to
the server, like id="4294967294", and stuck the users table. The user
could guess, of course, other field names, or see other forms/views
an
> Pardon the previous cryptic reply (!).
Haha, nice one! ;)
Thank you. I appreciate you sharing your expertise on this subject.
Seth
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this
Pardon the previous cryptic reply (!).
The Blowfish algorithm is more secure than the Security::cipher()
method. In most cases, if you or your client are overly concerned
with data security, then Blowfish (or its successor, Twofish) are both
viable options for encryption/decryption schemes
> From cold hard facts, no.
Joel, please forgive me but I'm a little confused by your answer.
Quite simply, is Security::cipher() a viable alternative to
mcrypt_encrypt or would it be more advisable to go the route of
mcrypt_encrypt for sensitive data in CakePHP? I have seen
> In CakePHP I noticed the cipher() function as part of the Security
> class. At first glance however, I wasn't able to discern what type of
> encryption scheme is being used.
It's a simple symmetric key bitmask cipher.
> My question is this: How does CakePHP's
I don’t recall blowfish ever being secure ;)
-Original Message-
From: cake-php@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of
seedifferently
Sent: 14. juni 2008 23:13
To: CakePHP
Subject: How strong is Security::cipher() ?
Dear group,
I'm writing an app in CakePHP and
r() function as part of the Security
class. At first glance however, I wasn't able to discern what type of
encryption scheme is being used.
My question is this: How does CakePHP's cipher() function stack up
against something like mcrypt()? Is it of a similar level of security?
Can I slee
The security component validates the allowed fields in a post.
What I was wondering is wether it really should validate (and
blackhole) fields in fields in fields the way it does at present?
Say a model has these fields:
User
id -int
prefs - blob
password - varchar
In this case the
I am in the process of rewriting my site from 1.1 to 1.2 and trying to
utilize the built in components whenever possible but I am unsure
about the security component. In my first app I built my own
functions to do this -- authenticate user, hash passwords, etc. Is
that pretty much all the
digest auth for my admin actions in the
> > app_controller:
>
> > function beforeFilter() {
> > if(isset($this->params[Configure::read('Routing.admin')])){
> > $this->Security->requireLogin('*', array('users' => array(
>
gt; i need some help in the following problem:
>
> my cakephp version: 1.2.0.6311.
>
> i have configured digest auth for my admin actions in the
> app_controller:
>
> function beforeFilter() {
> if(isset($this->params[Configure::read('Routing.admin'
hi,
i need some help in the following problem:
my cakephp version: 1.2.0.6311.
i have configured digest auth for my admin actions in the
app_controller:
function beforeFilter() {
if(isset($this->params[Configure::read('Routing.admin')])){
$this->Securi
Forget it, I've found the solution
http://book.cakephp.org/nl/view/183/creating-forms
:)
On 21 feb, 12:07, "Andrés Otárola" <[EMAIL PROTECTED]> wrote:
> I want to check that a form was sent using a post request, using
> Security component requirePost() as usu
I want to check that a form was sent using a post request, using
Security component requirePost() as usual, works for a normal POST
request, but when I'm sending an edit form, there is a hiden field
called "_method", and it's value is "PUT", the problem here is
Does anyone recommend some books that cover web application security?
Thank you,
CodeCowBoy
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email t
roller' => 'sections',
'action' => 'index', 'prefix' => Configure::read('Routing.admin')));
My old file was without the 'prefix' key. That fixed the problem. Any
ideas why?
On Nov 30, 12:59 pm, AD7six <[EMAIL PROTECTED]>
On Nov 30, 11:46 am, phpjoy <[EMAIL PROTECTED]> wrote:
> I'm experiencing a VERY weird auth problem, which is a very big
> security risk for my application.
>
> When I try to access a page in the admin section directly, I'm being
> redirected to the login page.
I'm experiencing a VERY weird auth problem, which is a very big
security risk for my application.
When I try to access a page in the admin section directly, I'm being
redirected to the login page.
When I try to do the same via an XHR call, the page is loaded!
Example:
When I try to
t;.
$this->data['Search']['searchvalue2']."/".$this->data['Search']
['searchvalue3']);
}
function results( $searchvalue1, $searchvalue2, $searchvalue3 ) {
// Displays results
}
Originally i wanted to ask whether it is a security proble
Thx for your answer unfortunaly I dont totaly get what you mean, but i
dont think you got me nether :P
So first, I'm a cake newbie and I'm trying to develop a quite big
report system with cake as foundation.
Anyway, my bigest question is not realy related to cake, more to the
MVC-patter, since i
Hi McFadly,
hats interesting thanks. I normally use othAuth but I jsut wanted a
very simple HTTP-Auth, and it seems to me that should be easily
achievable with this Security component, although I have not been able
to get it to work!
All I would like to do is turn off the separate checking of
Hi Luke -
I think you're making this process more difficult than it needs to
be. I haven't used HTTP auth in the Security component, so I can't
offer much insight in that realm. But you may just want to look into
using the Auth component, its pretty straightforward. Check out
submit
> admin_Add or admin_edit) I get asked to authenticate again, which also
> doesnt seem to work if correct details are put in. (The latter is to
> do with my custom blackhole callback I think).
>
> How can I tell the Security component not to ask for Auth again upon
>
working, BUT, when I submit an add form (e.g. submit
admin_Add or admin_edit) I get asked to authenticate again, which also
doesnt seem to work if correct details are put in. (The latter is to
do with my custom blackhole callback I think).
How can I tell the Security component not to ask for Auth
working, BUT, when I submit an add form (e.g. submit
admin_Add or admin_edit) I get asked to authenticate again, which also
doesnt seem to work if correct details are put in. (The latter is to
do with my custom blackhole callback I think).
How can I tell the Security component not to ask for Auth
Hi all,
I've 2 controllers, users and menus.
users controller has an action called chgpasswd.
menus controller has an action called gopasswd.
Basically, the action gopasswd is to redirect (by using $this-
>redirect) to chgpasswd action.
But after i added the $this->Security-&
PROTECTED]> wrote:
> You actually have to give it the password in plaintext as well in
> order for it to generate the necessary hash data.
>
> On Oct 23, 1:57 am, jcsiegrist <[EMAIL PROTECTED]> wrote:
>
> > Hi everyone,
>
> > I'm trying to use the Se
You actually have to give it the password in plaintext as well in
order for it to generate the necessary hash data.
On Oct 23, 1:57 am, jcsiegrist <[EMAIL PROTECTED]> wrote:
> Hi everyone,
>
> I'm trying to use the Security HTTP authentication features. While I
> can get
Hi everyone,
I'm trying to use the Security HTTP authentication features. While I
can get basic authentication to work, I just can't get digest to work.
I'm using 1.2r5879.
I use this call to the Security component in the beforeFilter of my
AppController
$this->Secu
this is integrated into the AuthComponent already.
function beforeFilter() {
$this->Auth->authorize = array('model' => 'User');
}
then put this in the User model for instance.
function isAuthorized($user, $controller, $action) {
//do some checks
return false;
}
if you want to do
I've been thinking about wheter or not it's a good idea to place acl
check things in the model or not. My idea is to maybe place some sort
of generic access check in appModel to interupt the request if the
user (of requester) dont have access. But i dont know if that will
break the MVC pattern or
othAuth component or AuthComponent in CakePHP 1.2
On Oct 18, 3:50 am, Kristopher <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I just wanted some feedback as to which auth plugin/component/helper I
> should use for administrative logins via SSL (over https).
>
> What are some of the options and what have
Hi,
I just wanted some feedback as to which auth plugin/component/helper I
should use for administrative logins via SSL (over https).
What are some of the options and what have you used that works. I am
using CakePHP 1.2.
Some of what I found in the Bakery:
-othAuth component
-obAuth Simple
s would be sufficient:
>
> > class UsersController extends AppController {
> > // ...
> > function edit($id = null) {
> > if (!empty($this->data)) {
> > unset($this->data['User']['active']);
> > // carry on as normal
ing something like this would be sufficient:
>
> class UsersController extends AppController {
> // ...
> function edit($id = null) {
> if (!empty($this->data)) {
> unset($this->data['User']['active']);
> // carry on as normal here
>
>
> > When I have this:
> > $form->input('User.email');
> > $form->input('User.password');
>
> > and put via firebug > value="1">
>
> > and then $this->User->save($this->data);
> > It saves
point.
>
> > When I have this:
> > $form->input('User.email');
> > $form->input('User.password');
>
> > and put via firebug > value="1">
>
> > and then $this->User->save($this->data);
> > It saves activ
if (!empty($this->data)) {
unset($this->data['User']['active']);
// carry on as normal here
}
}
// ...
}
Although logging and trapping could be useful too.
I believe the 1.2 Security Component has some way of designating form
fields as restricted, as w
then $this->User->save($this->data);
> It saves active as well!!!
>
> A huge security risk!!
If you don't know what you are doing and don't read the api/manual
(whitelist).
--~--~-~--~~~---~--~~
You received this message because
Well he's got a point.
When I have this:
$form->input('User.email');
$form->input('User.password');
and put via firebug
and then $this->User->save($this->data);
It saves active as well!!!
A huge security risk!!
--~--~-~--~~~--
The information is valuable to the attacker only if s/he has the
access to the database (read: there is a security hole in the application).
There may still be a way to get the field list from the table (eg. SHOW
CREATE TABLE for MySQL) once an attacker can execute own SQL statements on
the
There's nothing that says you have to name your field with the model/
field method. If you're concerned about this give it a different
name, but then you will need to parse the $this->data array and
restructure it if you intend to use $this->model->save($this->data);
I doubt this is efficient, es
when the crackers have no access to database, they would be able to
access your information.
But if they found your db access, they will find out yours
information.
if you are aware of security things, you can use plain html with php
instead of form helper.
you can say instead of using $html
On Oct 10, 11:27 am, wralph <[EMAIL PROTECTED]> wrote:
> What your talking about is security through obfuscation and it never
> works against a persistent hacker. There is no security risk in
> publishing the DB tables and fields, the risk is in the strength of
> the passwords
What your talking about is security through obfuscation and it never
works against a persistent hacker. There is no security risk in
publishing the DB tables and fields, the risk is in the strength of
the passwords for connecting to the DB and the level of access given
to particular users - this
I agree with you... Infact, I've been thinking about it from long
time. Its surely a security risk... Though it looks like we are just
exposing the database structure, but its still a confidential
information, which can take attacker to his aim
Cake might be secured enough, but consider
On Oct 10, 4:19 pm, Comida411 <[EMAIL PROTECTED]> wrote:
> When the page is rendered if some one does a view source he can
> clearly see the table name and the coloum name.
>
> Is it not a security risk?
Arguably it gives an attacker more information - but it's no
Assuming you have reasonable security in your database (strong
passwords with normal expiration periods, hard to guess user names,
updated db software), I don't know why you'd care about this.
Would it *really* be a big problem if you were forced to publish your
data model on your web
user table "users" with fields 1) email_address 2)
password
On my view when I use cake sysntax like below
input('User/email_address', array('size' => '40'))?
>
When the page is rendered if some one does a view source he can
clearly see the table n
at do you mean when you say Apache crash?
>
> Ketan
>
> francky06l wrote:
> > Hi All,
>
> > Actually it's my first time I am trying the blackHoleCallBack of the
> > security component. I wanted to have a unique function (in
> > app_controller) that I would
501 - 600 of 736 matches
Mail list logo