Thursday, June 12, 2014

Re: Security component and SQL Injection

I personally do not think the site was the victim of an SQL Injection as I am not passing any raw queries into the system anywhere.  The more realistic cause of the problem is I shared phpMyAdmin user details with the client and they accidentally deleted the table themselves, or the login details were made available to someone else who did this.  If this was an injection attack, I would expect them to do more than remove one table from one database.  

I don't like to jump to conclusions though, so just wanted to know if my configuration has somehow opened up the possibility of SQL Injection.

Thanks, Paul.

On Thursday, 12 June 2014 11:36:00 UTC+1, José Lorenzo wrote:
No, the security component does not prevent you against that. There most be some place where you are passing raw input into a query.

On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote:
Hi,

I've just launched a site for a client that had quite a big form in it that people were spending a long time trying to complete.  Because some people were walking away form the form then coming back later and trying to submit their security tokens were expiring so the client asked me to disable security for that form.

I did the following:
if ($this->request->action == 'add') {
  $this->Security->validatePost = false;
  $this->Security->csrfCheck = false;
}

Fast forward to this evening and someone has managed to delete the users table from the database.  Could disabling validatePost and csrfCheck have allowed someone to do SQL Inject a table drop?

Thanks,

Paul.

--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)