Ideally, the website root would be pointing to app/webroot, so direct access to some of those programs is not available.
On Thursday, 11 April 2013 17:37:56 UTC+10, John Abat wrote:
-- On Thursday, 11 April 2013 17:37:56 UTC+10, John Abat wrote:
Hi there,I hope anyone can share some knowledge about this:We are regularly building our web applications with cakephp and some of our clients demand a thorough security check before going live.Recently one of these checks reveled a high risk of Command Injection and the most vulnerable file being /lib/Cake/Utility/file.php.Other issues:
- Stored Code Injection
- XSRF (this can be contained with the Security component)
- Information Leak Through Persistent Cookies
Other vulnerable files mentionedcookiecomponent.php cakesocket.php consoleinput.php Since these are all cake core files I wonder if these are known issues and if anyone has some information on this.Thanx!
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment