I recently had a CakePHP app I had built penetration tested (2.3). It failed 16 out of nearly 50,000 tests; 12 of those were server related. If you build to the conventions and use the Security component, you'll be OK.
Jeremy Burns Class Outfit http://www.classoutfit.com On 11 Apr 2013, at 18:57:18, Jan Kohlhof <[email protected]> wrote: > Hi John, > > if you just had some security tool to check your app, then it is > probably just a false positive warning. > Otherwise, if you have a clue where there is a potential security issue, > I would recommend you to > file a detailed description (including the version) on how the affected > code is vulnerable directly to some of the core devs, > not over this mailing list. > > best regards > Jan > > Am 11.04.2013 09:37, schrieb John Abat: >> Hi there, >> >> I hope anyone can share some knowledge about this: >> We are regularly building our web applications with cakephp and some >> of our clients demand a thorough security check before going live. >> Recently one of these checks reveled a high risk of Command Injection >> and the most vulnerable file being /lib/Cake/Utility/file.php. >> >> Other issues: >> >> * Stored Code Injection >> * XSRF (this can be contained with the Security component) >> * Information Leak Through Persistent Cookies >> >> Other vulnerable files mentioned >> >> # cookiecomponent.php >> # cakesocket.php >> # consoleinput.php >> >> >> Since these are all cake core files I wonder if these are known issues >> and if anyone has some information on this. >> >> Thanx! >> -- >> Like Us on FaceBook https://www.facebook.com/CakePHP >> Find us on Twitter http://twitter.com/CakePHP >> >> --- >> You received this message because you are subscribed to the Google >> Groups "CakePHP" group. >> To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/cake-php?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > Like Us on FaceBook https://www.facebook.com/CakePHP > Find us on Twitter http://twitter.com/CakePHP > > --- > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/cake-php?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
