Security issue with Model->save() when adding data (Cake 1.2)

Tue, 04 Sep 2007 09:30:28 -0700 

Hi there,

There seems to be a security issue with the Model->save() function in
Cake 1.2 if you are adding data through a form.

Example:

A simple User-Model with id, username, password

If there is for example a registration form in which you enter your
username and password you can manipulate this form so that you can
change an already existing user.

Form:

<form action="http://xyz.com/users/add"; method="post">
 <input type="text" name="data['User']['username']" />
 <input type="password" name="data['User']['password']" />
</form>

Add-Code in users_controller.php:

function add() {
  $allowedFields = array("username", "password");
  if ($this->data) {
    $this->User->save($data, true, $allowedFields);
  }
}


If a bad guy now makes a post-request with an additional ID...
for example with a locally manipulated form like this:

<form action="http://xyz.com/users/add"; method="post">
 <input type="hidden" name="data['User']['id']" value="1" />
 <input type="text" name="data['User']['username']" />
 <input type="password" name="data['User']['password']" />
</form>

... it changes the User with the ID 1 instead of creating a new user.
I think this bug only applies to 1.2, because in 1.2 the Model-
>set($data) function is called inside the save-function before
filtering the data with the allowedFields-Array

Because of the called set-function, a $this->Model->create() before
the save doesn't have any effect (the id will be re-set in the save
function through set($data)

The temporary approach to secure add-functions in Cake 1.2 is to
manually delete the ID from the data Array in add-functions.

So with:

function add() {
  $allowedFields = array("username", "password");
  if ($this->data) {
    if (isset($this->data['User']['id'])) unset($this->data['User']
['id']);
    $this->User->save($data, true, $allowedFields);
  }
}

you are on the safe side...

I couldn't find any ticket or posting dealing with this issue. So am I
using the Model->save in a wrong way or is this really a bug?


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake 
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to