Hello,
I have a cakephp site I'm working on. I have it live on a production
server, it's still in development.
I switched my core.php from production to development to do some
testing of things on the live server and forgot to change it back. I
left it like this for about a week.
Apparently someone smart found the website. They didn't do any damage
they just kind of let me know I had a bug somewhere.
They were somehow able to bypass my model validation and register
themselves with a NULL username and password and marked themselves as
a premium member which can only be done via a paypal payment using web
tech nicks paypal plugin. They did this 4 times set username, email,
password fields in the DB to NULL and marked themselves as a premium
member giving them paid services for free.
I'm wondering if while I left the core.php in development mode they
got DB access somehow and that's how they did it?
Here's my basic user validation which ensures a username and valid
password and confirmation as well as username uniqueness:
'username'=>array(
'Not Empty'=>array(
'rule'=>'notEmpty',
'message'=>'Please enter your desired username.'
),
'Username 4 length'=>array(
'rule'=>array('minLength', 4),
'message'=>array('Username must be at least 4 characters in
length')
),
'Username can only be alphanumeric'=>array(
'rule'=>'alphaNumeric',
'message'=>'Username can only be letters and numbers.'
),
'Must be unique'=>array(
'rule'=>'isUnique',
'message'=>'That username is taken, try another.'
)
),
'email'=>array(
'Not empty'=>array(
'rule'=>'notEmpty',
'message'=>'Please enter your email address.'
),
'Valid email'=>array(
'rule'=>'email',
'message'=>'This is not a valid email address.'
),
'Must be unique'=>array(
'rule'=>'isUnique',
'message'=>'That email address is already taken.'
)
),
'password'=>array(
'Minimum 6 length'=>array(
'rule'=>array('minLength', 6),
'message'=>'Password must be at least 6 characters in length.'
),
'Passwords must match'=>array(
'rule'=>'matchPasswords',
'message'=>'The passwords do not match.'
)
),
'ToS'=>array(
'rule'=>'/1/',
'message'=>'You must agree to the terms of service.'
)
Is there any other way they could have gotten around my model
validations? Or did they DB access because I left my core.php in
development?
Thanks.
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
[email protected] For more options, visit this group at
http://groups.google.com/group/cake-php
