It is the developer's fault, for deploying a system in a way it should never be deployed.
Since, I was working under the pre-tense that any developer who actually cared about these kinds of things wouldn't make a stupid mistake like this. And combined with the fact that removing the passwords is a non-trivial problem, I punted on the issue. The place where this error gets displayed from is inside Debugger, and its more than non-trivial to filter through the various parts of output, looking for things that follow password, and cutting them out. While this is probably doable it will affect all the messages that Debugger will create. I guess I underestimated the ability of people to screw up basic deployment. If someone want's to prepare a patch, I'd be happy to apply it so people who can't be bothered to properly deploy their applications, can sleep better at night. -Mark On Jun 21, 10:22 am, Miles J <[email protected]> wrote: > I have brought this problem up before. Last time, the Cake devs said > it was the developers fault and it will stay in. > > -_- > > On Jun 21, 8:23 am, looklook look <[email protected]> wrote: > > > > > > > > > Now you got my point ;) > > > I have tried with google query to show database connection on Drupal, > > Codeigniter, Wordpress and many else. > > But yes, they can handle this database error carefully. > > > So, i think this is critical issue that should fixed immediatelly. > > > Thanks > > > Yodihttp://yoodey.com > > > On Tue, Jun 21, 2011 at 9:36 PM, Thomas Ploch > > <[email protected]>wrote: > > > > OMG, > > > > I certainly could connect to __several__ mysql servers found with this > > > google query. > > > > Although I agree that this is a developer's mistake, I am sure that > > > there are a lot of unskilled developers that are doing this because they > > > just dont know it better. So removing those values from the output would > > > be a +1 from me. > > > > Regards, > > > Thomas > > > > Am Dienstag, den 21.06.2011, 06:02 -0700 schrieb chris: > > > > I'm intrigued by this issue. > > > > > Can someone explain what situations would the whole config var be > > > > output? Is it only when an error occurs, and only when at a certain > > > > debug level? I've never seen it displayed at all whilst developing > > > > with cakePHP. > > > > > Out of interested I googled the first part of the output, i.e. > > > > > $config = array( "persistent" => false, > > > > > and it certaintly suprised me how many sites this brings back with > > > > passwords on show. > > > > > On Jun 21, 12:46 pm, yodi <[email protected]> wrote: > > > > > Sorry, it was on random site build by CakePHP. > > > > > > To Euromark, i found more than 100 website affected with this problem > > > > > and i don't have much time to email them all. > > > > > > I think, whether it debug > 0, Cakephp should'nt throw real password > > > > > into CONTEXT. > > > > > > I try searching another CMS and Framework. Using same method, i found > > > > > nothing of them show real password where database error connection > > > > > occured. > > > > > > Yes, this is security issued for me. Which there are many developer > > > > > using CakePHP. > > > > > > To Larry, i can send you some message to show how much it's affected. > > > It > > > > > can be consideration. > > > > > > Thanks > > > > > > On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: > > > > > > Are you saying this was on the CakePHP website or a random site you > > > > > > where visiting? > > > > > > > -- > > > > > > Larry E. Masters > > > > > > > On Mon, Jun 20, 2011 at 2:18 PM, yoodey <[email protected]> wrote: > > > > > > Hello all, > > > > > > > I'm randomly browsing and get a website with Database error > > > > > > connection. > > > > > > It gave me error page : Warning (2): mysql_connect() > > > > > > [function.mysql- > > > > > > connect]: Access denied for user ... > > > > > > > So i click on Context option and got this information. > > > > > > > $config = array( > > > > > > "persistent" => false, > > > > > > "host" => "xxxxxxxxxxxxxxxxxxx", > > > > > > "login" => "dbxxxxx", > > > > > > "password" => "dbtxxx", > > > > > > "database" => "dbxxxxx", > > > > > > "port" => "3306", > > > > > > "driver" => "mysql", > > > > > > "prefix" => "", > > > > > > "encoding" => "UTF8" > > > > > > ) > > > > > > > To avoid other people doing bad thing, i'm not showing real > > > > > > error > > > > > > information. > > > > > > > I'm doing mysql command based on that information and guest > > > > > > what? I > > > > > > got full access! > > > > > > Curious with this error, i'm doing little research and found > > > > > > more than > > > > > > 1000 website mysql root access. (there many others, but i > > > > > > too > > > > > > tired to > > > > > > check it one by one ). > > > > > > > This is very dangerous things which i'm big fans of CakePHP. > > > I > > > > > > working > > > > > > on 50K/day visitors website powered by CakePHP which i don't > > > > > > wanna > > > > > > this thing happen to me. > > > > > > > So, please tell me, which people in cakephp.org should be > > > > > > contacted > > > > > > because this issue. Opening ticket will leaked real > > > > > > information for > > > > > > the victim website. > > > > > > > Thanks > > > > > > > Yoodey > > > > > > > -- > > > > > > Our newest site for the community: CakePHP Video Tutorials > > > > > > http://tv.cakephp.org > > > > > > Check out the new CakePHP Questions site > > > > > > http://ask.cakephp.organdhelpothers with their CakePHP > > > > > > related questions. > > > > > > > To unsubscribe from this group, send email to > > > > > > [email protected] For more options, > > > visit > > > > > > this group athttp://groups.google.com/group/cake-php > > > > > > > -- > > > > > > Our newest site for the community: CakePHP Video Tutorials > > > > > >http://tv.cakephp.org > > > > > > Check out the new CakePHP Questions sitehttp://ask.cakephp.organd > > > > > > help others with their CakePHP related questions. > > > > > > > To unsubscribe from this group, send email to > > > > > > [email protected] For more options, visit this > > > > > > group athttp://groups.google.com/group/cake-php > > > > -- > > > Our newest site for the community: CakePHP Video Tutorials > > >http://tv.cakephp.org > > > Check out the new CakePHP Questions sitehttp://ask.cakephp.organdhelp > > > others with their CakePHP related questions. > > > > To unsubscribe from this group, send email to > > > [email protected] For more options, visit this group > > > athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
