It's the same with Cake 1.1.17. Added a ticket: https://trac.cakephp.org/ticket/3187
On 4 Sep., 12:23, "J. Eckert" <[EMAIL PROTECTED]> wrote: > Hi there, > > There seems to be a security issue with the Model->save() function in > Cake 1.2 if you are adding data through a form. > > Example: > > A simple User-Model with id, username, password > > If there is for example a registration form in which you enter your > username and password you can manipulate this form so that you can > change an already existing user. > > Form: > > <form action="http://xyz.com/users/add"; method="post"> > <input type="text" name="data['User']['username']" /> > <input type="password" name="data['User']['password']" /> > </form> > > Add-Code in users_controller.php: > > function add() { > $allowedFields = array("username", "password"); > if ($this->data) { > $this->User->save($data, true, $allowedFields); > } > > } > > If a bad guy now makes a post-request with an additional ID... > for example with a locally manipulated form like this: > > <form action="http://xyz.com/users/add"; method="post"> > <input type="hidden" name="data['User']['id']" value="1" /> > <input type="text" name="data['User']['username']" /> > <input type="password" name="data['User']['password']" /> > </form> > > ... it changes the User with the ID 1 instead of creating a new user. > I think this bug only applies to 1.2, because in 1.2 the Model->set($data) > function is called inside the save-function before > > filtering the data with the allowedFields-Array > > Because of the called set-function, a $this->Model->create() before > the save doesn't have any effect (the id will be re-set in the save > function through set($data) > > The temporary approach to secure add-functions in Cake 1.2 is to > manually delete the ID from the data Array in add-functions. > > So with: > > function add() { > $allowedFields = array("username", "password"); > if ($this->data) { > if (isset($this->data['User']['id'])) unset($this->data['User'] > ['id']); > $this->User->save($data, true, $allowedFields); > } > > } > > you are on the safe side... > > I couldn't find any ticket or posting dealing with this issue. So am I > using the Model->save in a wrong way or is this really a bug? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
