RE: cakephp and security

 

 

From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf Of Dee Johnson
Sent: Tuesday, October 18, 2011 7:27 PM
To: cake-php@googlegroups.com
Subject: cakephp and security

 

Hi all, I scanned a cake project with a security program called fortify and it came back with 181 errors associated with using the "extract" function in the core.

Explanation below:
Possible Variable Overwrite: Global Scope (Input Validation and Representation, Structural)

The program invokes a function that can overwrite global variables, which can open the door for attackers.

example is line 870 of configure.php

    function import($type = null, $name = null, $parent = true, $search = array(), $file = null, $return = false) {
        $plugin = $directory = null;

        if (is_array($type)) {
            extract($type, EXTR_OVERWRITE);
        }

        if (is_array($parent)) {
            extract($parent, EXTR_OVERWRITE);
        }

The application suggests that in all instances where "extract" is used, to use the argument 'EXTR_SKIP'.  Since this would be in place of EXTR_OVERWRITE I was wondering if this would cause any issues considering this is the core and all... ???  Thoughts?  Full explanation below

source -

Recommendations:
Prevent functions that can overwrite global variables from doing so in the following ways: 

    - Invoke mb_parse_str(string $encoded_string [, array &$result ]) with the second argument, which captures the result of the operation and prevents the function from overwriting global variables. 

    - Invoke extract(array $var_array [, int $extract_type [, string $prefix]]) with the second argument set to EXTR_SKIP, which prevents the function from overwriting global variables that are already defined. 
   
Example 2: The following code uses a second argument to mb_parse_str() to mitigate the vulnerability from Example 1.

<?php
    $first="User";
    ...
    $str =  $_SERVER['QUERY_STRING'];
    mb_parse_str($str, $output);
    echo $first;
?>

References:

[1] CWE ID 473, Standards Mapping - Common Weakness Enumeration - (CWE)

--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.
 
 
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php