Friday September 21, 2021
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Multiple Invision Power Board Vulnerabilities
  3 Mambo Multiple Vulnerabilities
  4 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  5 MySQL Eventum Multiple Vulnerabilities
  6 Woltlab Burning Board SQL Injection Vulnerability
  7 Geeklog Remote Code Execution
  8 PEAR XML_RPC Library Remote Code Execution
  9 Gallery 2 Multiple Vulnerabilities
10 eBay And Amazon Still Vulnerable
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Archives Research
CakePHP Framework Arbitrary File Access
September 21, 2021
Vendor : Cake Software Foundation
URL : http://cakephp.org/
Version : CakePHP <= 1.1.7.3363
Risk : Arbitrary File Access


Description:
CakePHP is a RAD (Rapid Application Framework) framework for PHP which uses commonly known design patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC. Unfortunately CakePHP is vulnerable to an arbitrary file access vulnerability due to unsafe use of the readfile function that allows for an attacker to read any file on the system that the webserver has read access to. This could be used to read password files or sensitive configuration data etc. An updated version of CakePHP has been released and users encouraged to upgrade their CakePHP installations as soon as possible.


Arbitrary File Access
CakePHP allows for developers to create dynamic content in a way similar to Ruby On Rails. One of the files that allows for front end access to javascript for visitors is vulnerable to an arbitrary file access vulnerability that allows an attacker to read any file on the system that the webserver has read access to. Below is the vulnerable code from vendors.php
if (is_file('../../vendors/javascript/' . $_GET['file']) && (preg_match('/(.+)\\.js/', $_GET['file']))) {
	readfile('../../vendors/javascript/' . $_GET['file']);
}

As seen above the only sanity checks made on the "file" variable are to see if it contains a *.js file name. Of course an attacker can easily bypass this check.

http://www.example.com/js/vendors.php?file=../../../../.htpasswd%00foobar.js


Solution:
The CakePHP development team have released an updated version of CakePHP to address this issue. Users are encouraged to upgrade their CakePHP installations as soon as possible.


Credits:
James Bercegay of the GulfTech Security Research Team