Thursday, April 11, 2013

Re: Cakehp Security Command Injection vulnerability

Hi John,

if you just had some security tool to check your app, then it is
probably just a false positive warning.
Otherwise, if you have a clue where there is a potential security issue,
I would recommend you to
file a detailed description (including the version) on how the affected
code is vulnerable directly to some of the core devs,
not over this mailing list.

best regards
Jan

Am 11.04.2013 09:37, schrieb John Abat:
> Hi there,
>
> I hope anyone can share some knowledge about this:
> We are regularly building our web applications with cakephp and some
> of our clients demand a thorough security check before going live.
> Recently one of these checks reveled a high risk of Command Injection
> and the most vulnerable file being /lib/Cake/Utility/file.php.
>
> Other issues:
>
> * Stored Code Injection
> * XSRF (this can be contained with the Security component)
> * Information Leak Through Persistent Cookies
>
> Other vulnerable files mentioned
>
> # cookiecomponent.php
> # cakesocket.php
> # consoleinput.php
>
>
> Since these are all cake core files I wonder if these are known issues
> and if anyone has some information on this.
>
> Thanx!
> --
> Like Us on FaceBook https://www.facebook.com/CakePHP
> Find us on Twitter http://twitter.com/CakePHP
>
> ---
> You received this message because you are subscribed to the Google
> Groups "CakePHP" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cake-php+unsubscribe@googlegroups.com.
> To post to this group, send email to cake-php@googlegroups.com.
> Visit this group at http://groups.google.com/group/cake-php?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)