Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Does CakePHP automatically deal with mass assignment vulnerabilities when saving modified data?

Tags:

security

mass-assignment

cakephp

cakephp-2.0

Edit:

After receiving more information from DCoder, the phrase I was searching for here is a "mass assignment vulnerability." That is to say, taking advantage of the convenience of methods that would save all valid fields to the database, regardless of their presence on the initial form (making them vulnerable to manipulated POST data containing more [possibly more critical] fields than the intended ones).

The two common responses are then appropriately named whitelisting and blacklisting; whitelisting fields intended for modification, or blacklisting fields that should not be modified.

My question then follows: does CakePHP automatically whitelist only those fields in the submitting form, or is it necessary for me (and other Cake fans) to be careful that we are whitelisting or blacklisting appropriately?

Original Question:

Cake offers a lot of great ways to generate forms and handle them nearly automatically. As I was thinking about security, I got to wondering: is Cake aware of what fields existed in a form submitted, or will it simply accept any valid field? Take the following senario if I'm not making sense (and someone is welcome to edit my question to be better worded if they can think of a better way to express it):

Let's say I allow my users to edit their profile. I create a form which has fields for username, e-mail, and password, under the action edit.

A clever user wants to come in and change their is_admin field from false to true, so they use an app like firebug to submit custom post data to the edit action, which includes the field is_admin set to true.

The question is, would Cake realize on it's own that is_admin was not in the original form, or do I need to be careful to explicitly specify the only fields which fields a given action can modify? Is there an easier way?

Thank you!

James

like image 610
xtraorange Avatar asked May 05 '12 03:05

xtraorange

1 Answers

You have to load the SecurityComponent in your controller(s) and CakePHP will prevent form tampering for you, see http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#form-tampering-prevention

like image 156
dhofstet Avatar answered Nov 25 '22 01:11

dhofstet
Sign in to Comment

Related questions

Can't turn off Facebook Secure Browsing
How to understand and reduce IP spoofing attack errors in a Rails application?
Are any special security rights required to read performance data counters on Windows?
Security surrounding the iOS shared NSHTTPCookieStorage
Securely Sending PHP Get Information from iOS
Grails - Is there a recommended way of dealing with CSRF attacks in AJAX forms?
run untrusted python code that is able to communicate with main program but isolated from the system
WCF Access Denied exception never returns to client after CheckAccessCore
Icons/images not loaded in IE after adding “X-Content-Type-Options: nosniff” in web.config file
Firefox can't establish a connection to WSS
How to Pass Authorization Header in HTTP Request when using HTML5 Player (Audio tag) for security
How TeamViewer simulates Ctrl-Alt-Del on Windows programmatically?
Scala Remote Actor Security
redirecting back to original page after authentication failure with spring security
How to write value into an address in format string attack
Security-Transparent Code
What is the simplest way to implement encryption in WCF when using the netTcpBinding?
Why does Android limit the acceptable file types so strictly while receiving via Bluetooth OPP?
What to do about network failures when loading crossdomain.xml policy file?
Secure hidden variables in rails?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!