I recently had a CakePHP app I had built penetration tested (2.3). It failed 16 out of nearly 50,000 tests; 12 of those were server related. If you build to the conventions and use the Security component, you'll be OK.
Jeremy Burns
Class Outfit
http://www.classoutfit.com
On 11 Apr 2013, at 18:57:18, Jan Kohlhof <kohj@Mathematik.Uni-Marburg.de> wrote:
> Hi John,
>
> if you just had some security tool to check your app, then it is
> probably just a false positive warning.
> Otherwise, if you have a clue where there is a potential security issue,
> I would recommend you to
> file a detailed description (including the version) on how the affected
> code is vulnerable directly to some of the core devs,
> not over this mailing list.
>
> best regards
> Jan
>
> Am 11.04.2013 09:37, schrieb John Abat:
>> Hi there,
>>
>> I hope anyone can share some knowledge about this:
>> We are regularly building our web applications with cakephp and some
>> of our clients demand a thorough security check before going live.
>> Recently one of these checks reveled a high risk of Command Injection
>> and the most vulnerable file being /lib/Cake/Utility/file.php.
>>
>> Other issues:
>>
>> * Stored Code Injection
>> * XSRF (this can be contained with the Security component)
>> * Information Leak Through Persistent Cookies
>>
>> Other vulnerable files mentioned
>>
>> # cookiecomponent.php
>> # cakesocket.php
>> # consoleinput.php
>>
>>
>> Since these are all cake core files I wonder if these are known issues
>> and if anyone has some information on this.
>>
>> Thanx!
>> --
>> Like Us on FaceBook https://www.facebook.com/CakePHP
>> Find us on Twitter http://twitter.com/CakePHP
>>
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "CakePHP" group.
>> To unsubscribe from this group and stop receiving emails from it, send
>> an email to cake-php+unsubscribe@googlegroups.com.
>> To post to this group, send email to cake-php@googlegroups.com.
>> Visit this group at http://groups.google.com/group/cake-php?hl=en.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>
> --
> Like Us on FaceBook https://www.facebook.com/CakePHP
> Find us on Twitter http://twitter.com/CakePHP
>
> ---
> You received this message because you are subscribed to the Google Groups "CakePHP" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
> To post to this group, send email to cake-php@googlegroups.com.
> Visit this group at http://groups.google.com/group/cake-php?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment