Originally discussed 29th January 2010.
While working on a CakePHP project, I found a couple of issues with it's default setup.
As the fields for a form are created in HTML and sent to the browser, the form can be edited by an attacker (fields added/removed, easily done via the DOM inspector).
So if your website has a "users" table, and an "admin" field in that... the registration page may not have a field to set if the attacker should create an admin account, they can easily add one.
This is a problem because the untrusted POST data is then sent to the Model, which has no idea what fields should be present - as most developers do not know that they need to specify a fieldList, or use the separate SecurityComponent.
While is not really a security issue, but I thought I should mention it anyway:
$this->Model->find('all', array( 'conditions' => array( 'model.id' => $id, 'OR' => array( 'model.a !=' => 'x', 'model.b >' => 'y', ), 'OR' => array(...), // Whoops, two "or" keys ), 'fields' => ... // If not specified, you get all fields instead ));
Note the two "OR" keys in the array - this can be fixed with the following, but it means that mistakes are very to make.
$this->Model->find('all', array( 'conditions' => array( 'model.id' => $id, 'OR' => array( array( 'model.a !=' => 'x', 'model.b >' => 'y', // Do not do a 'model.b >' => 'z' ), array(...), ) ), 'fields' => array('model.id'), ));
But even then, something that concerns me is the use of the field name and comparison operator in the same string (also a key) - so do they escape/filter both of these components correctly in every case?