After the release of 1.2 Final, we received a lot of attention. Some
of this came in the form of a security concern. The issue could affect
sites relying on the AuthComponent for user authentication, without
the use of the SecurityComponent. Essentially, an attacker may be able
to obtain credentials as the first user of the system. If you are
interested in testing your site, you can use the SQL Inject Me plugin
for Firefox[1]
Along with several other bugs, this issue was fixed in the recently
released CakePHP 1.2.1.8004 Stable. We highly recommend that users
upgrade to this release.
A big thank you for all those who report these issues to us and allow
us to fix them.
> After the release of 1.2 Final, we received a lot of attention. Some
> of this came in the form of a security concern. The issue could affect
> sites relying on the AuthComponent for user authentication, without
> the use of the SecurityComponent. Essentially, an attacker may be able
> to obtain credentials as the first user of the system. If you are
> interested in testing your site, you can use the SQL Inject Me plugin
> for Firefox[1]
> Along with several other bugs, this issue was fixed in the recently
> released CakePHP 1.2.1.8004 Stable. We highly recommend that users
> upgrade to this release.
> A big thank you for all those who report these issues to us and allow
> us to fix them.
Is there a link to the details of the security concern? I know it's
fixed now but I'm interested if I should always use the Security
Component and what the implication is if I don't.
Tried googling and looking in Trac but I can't seem to find out what
the problem was.
On Jan 16, 10:14 pm, Gwoo <gwoo.cake...@gmail.com> wrote:
> After the release of 1.2 Final, we received a lot of attention. Some
> of this came in the form of a security concern. The issue could affect
> sites relying on the AuthComponent for user authentication, without
> the use of the SecurityComponent. Essentially, an attacker may be able
> to obtain credentials as the first user of the system. If you are
> interested in testing your site, you can use the SQL Inject Me plugin
> for Firefox[1]
> Along with several other bugs, this issue was fixed in the recently
> released CakePHP 1.2.1.8004 Stable. We highly recommend that users
> upgrade to this release.
> A big thank you for all those who report these issues to us and allow
> us to fix them.
> After the release of 1.2 Final, we received a lot of attention. Some
> of this came in the form of a security concern. The issue could affect
> sites relying on the AuthComponent for user authentication, without
> the use of the SecurityComponent. Essentially, an attacker may be able
> to obtain credentials as the first user of the system. If you are
> interested in testing your site, you can use the SQL Inject Me plugin
> for Firefox[1]
> Along with several other bugs, this issue was fixed in the recently
> released CakePHP 1.2.1.8004 Stable. We highly recommend that users
> upgrade to this release.
> A big thank you for all those who report these issues to us and allow
> us to fix them.
You could probably d/l fiddler2 (http://www.fiddler2.com/fiddler2/)
and use that to do whatever injections are needed. This app also works
with any browser that supports proxies and even works remotely.
On Jan 19, 7:38 am, Pyrite <thelette...@gmail.com> wrote:
> Is there a way to test this CVE without Firefox? I do not have the
> option of Firefox at work. Only IE7.
> On Jan 16, 4:14 pm, Gwoo <gwoo.cake...@gmail.com> wrote:
> > After the release of 1.2 Final, we received a lot of attention. Some
> > of this came in the form of a security concern. The issue could affect
> > sites relying on the AuthComponent for user authentication, without
> > the use of the SecurityComponent. Essentially, an attacker may be able
> > to obtain credentials as the first user of the system. If you are
> > interested in testing your site, you can use the SQL Inject Me plugin
> > for Firefox[1]
> > Along with several other bugs, this issue was fixed in the recently
> > released CakePHP 1.2.1.8004 Stable. We highly recommend that users
> > upgrade to this release.
> > A big thank you for all those who report these issues to us and allow
> > us to fix them.
> You could probably d/l fiddler2 (http://www.fiddler2.com/fiddler2/)
> and use that to do whatever injections are needed. This app also works
> with any browser that supports proxies and even works remotely.
> On Jan 19, 7:38 am, Pyrite <thelette...@gmail.com> wrote:
> > Is there a way to test this CVE without Firefox? I do not have the
> > option of Firefox at work. Only IE7.
> > On Jan 16, 4:14 pm, Gwoo <gwoo.cake...@gmail.com> wrote:
> > > After the release of 1.2 Final, we received a lot of attention. Some
> > > of this came in the form of a security concern. The issue could affect
> > > sites relying on the AuthComponent for user authentication, without
> > > the use of the SecurityComponent. Essentially, an attacker may be able
> > > to obtain credentials as the first user of the system. If you are
> > > interested in testing your site, you can use the SQL Inject Me plugin
> > > for Firefox[1]
> > > Along with several other bugs, this issue was fixed in the recently
> > > released CakePHP 1.2.1.8004 Stable. We highly recommend that users
> > > upgrade to this release.
> > > A big thank you for all those who report these issues to us and allow
> > > us to fix them.
> After the release of 1.2 Final, we received a lot of attention. Some
> of this came in the form of a security concern. The issue could affect
> sites relying on the AuthComponent for user authentication, without
> the use of the SecurityComponent. Essentially, an attacker may be able
> to obtain credentials as the first user of the system. If you are
> interested in testing your site, you can use the SQL Inject Me plugin
> for Firefox[1]
> Along with several other bugs, this issue was fixed in the recently
> released CakePHP 1.2.1.8004 Stable. We highly recommend that users
> upgrade to this release.
> A big thank you for all those who report these issues to us and allow
> us to fix them.
