CakePHP

Originally discussed 29th January 2010.

While working on a CakePHP project, I found a couple of issues with it's default setup.

This is now known as a Mass Assignment Vulnerability, and found in many MVC / Active Record style frameworks (made popular due to the Ruby On Rails / GitHub issue in 2012).

As the fields for a form are created in HTML and sent to the browser, the form can be edited by an attacker (fields added/removed, easily done via the DOM inspector).

So if your website has a "users" table, and an "admin" field in that... the registration page may not have a field to set if the attacker should create an admin account, they can easily add one.

This is a problem because the untrusted POST data is then sent to the Model, which has no idea what fields should be present - as most developers do not know that they need to specify a fieldList, or use the separate SecurityComponent.

While is not really a security issue, but I thought I should mention it anyway:

    $this->Model->find('all', array(
      'conditions' => array(
        'model.id' => $id,
          'OR' => array(
            'model.a !=' => 'x',
            'model.b >' => 'y',
          ),
          'OR' => array(...), // Whoops, two "or" keys
        ),
        'fields' => ... // If not specified, you get all fields instead
      ));
	

Note the two "OR" keys in the array - this can be fixed with the following, but it means that mistakes are very to make.

    $this->Model->find('all', array(
      'conditions' => array(
        'model.id' => $id,
          'OR' => array(
            array(
              'model.a !=' => 'x',
              'model.b >' => 'y', // Do not do a 'model.b >' => 'z'
            ),
            array(...),
           )
        ),
        'fields' => array('model.id'),
      ));
	

But even then, something that concerns me is the use of the field name and comparison operator in the same string (also a key) - so do they escape/filter both of these components correctly in every case?