I'm intrigued by this issue. Can someone explain what situations would the whole config var be output? Is it only when an error occurs, and only when at a certain debug level? I've never seen it displayed at all whilst developing with cakePHP.
Out of interested I googled the first part of the output, i.e. $config = array( "persistent" => false, and it certaintly suprised me how many sites this brings back with passwords on show. On Jun 21, 12:46 pm, yodi <[email protected]> wrote: > Sorry, it was on random site build by CakePHP. > > To Euromark, i found more than 100 website affected with this problem > and i don't have much time to email them all. > > I think, whether it debug > 0, Cakephp should'nt throw real password > into CONTEXT. > > I try searching another CMS and Framework. Using same method, i found > nothing of them show real password where database error connection > occured. > > Yes, this is security issued for me. Which there are many developer > using CakePHP. > > To Larry, i can send you some message to show how much it's affected. It > can be consideration. > > Thanks > > > > > > > > On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: > > Are you saying this was on the CakePHP website or a random site you > > where visiting? > > > -- > > Larry E. Masters > > > On Mon, Jun 20, 2011 at 2:18 PM, yoodey <[email protected]> wrote: > > Hello all, > > > I'm randomly browsing and get a website with Database error > > connection. > > It gave me error page : Warning (2): mysql_connect() > > [function.mysql- > > connect]: Access denied for user ... > > > So i click on Context option and got this information. > > > $config = array( > > "persistent" => false, > > "host" => "xxxxxxxxxxxxxxxxxxx", > > "login" => "dbxxxxx", > > "password" => "dbtxxx", > > "database" => "dbxxxxx", > > "port" => "3306", > > "driver" => "mysql", > > "prefix" => "", > > "encoding" => "UTF8" > > ) > > > To avoid other people doing bad thing, i'm not showing real > > error > > information. > > > I'm doing mysql command based on that information and guest > > what? I > > got full access! > > Curious with this error, i'm doing little research and found > > more than > > 1000 website mysql root access. (there many others, but i too > > tired to > > check it one by one ). > > > This is very dangerous things which i'm big fans of CakePHP. I > > working > > on 50K/day visitors website powered by CakePHP which i don't > > wanna > > this thing happen to me. > > > So, please tell me, which people in cakephp.org should be > > contacted > > because this issue. Opening ticket will leaked real > > information for > > the victim website. > > > Thanks > > > Yoodey > > > -- > > Our newest site for the community: CakePHP Video Tutorials > > http://tv.cakephp.org > > Check out the new CakePHP Questions site > > http://ask.cakephp.organd help others with their CakePHP > > related questions. > > > To unsubscribe from this group, send email to > > [email protected] For more options, visit > > this group athttp://groups.google.com/group/cake-php > > > -- > > Our newest site for the community: CakePHP Video Tutorials > >http://tv.cakephp.org > > Check out the new CakePHP Questions sitehttp://ask.cakephp.organd > > help others with their CakePHP related questions. > > > To unsubscribe from this group, send email to > > [email protected] For more options, visit this > > group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
