CakePHP: the rapid development php framework: CakeBot

Log message #4191380

#	At	Username	Text
#	Jun 30th 2019, 11:23	challgren	But simple way to prevent it from being inserted at all is to create a Custom Rule Object so you can reuse it.
#	Jun 30th 2019, 11:22	slackebot	write the contents to a PHP file and execute it, or have it written to a place where an external attacker could execute it.
#	Jun 30th 2019, 11:22	ndm	@wgon0001 Obfuscation via ROT13 or Base64, I haven't seen that in years. Generally you need to first properly assess a threat, just adding "security stuff" will most likely fail if you don't know how a possible attack works. As @challgren said, that code snippet alone is no threat. Ask yourself, how could someone exploit ROT13 obfuscated PHP that's embedded in a database record? Your application would have to un-ROT13 it, and either eval it, or
#	Jun 30th 2019, 11:16	challgren	Plus if you did get `<?php @eval($_POST[value]);?>` inserted into your database. It wouldn’t run
#	Jun 30th 2019, 11:14	challgren	And then if you wanted to you can write your own rule to look for that string https://book.cakephp.org/3.0/en/orm/validation.html#creating-custom-re-usable-rules
#	Jun 30th 2019, 11:11	challgren	https://book.cakephp.org/3.0/en/orm/saving-data.html#merging-request-data-into-entities
#	Jun 30th 2019, 11:11	challgren	https://book.cakephp.org/3.0/en/orm/saving-data.html#converting-request-data-into-entities
#	Jun 30th 2019, 11:04	challgren	https://book.cakephp.org/3.0/en/orm/query-builder.html#sql-injection-prevention
#	Jun 30th 2019, 10:59	challgren	By using the `$_POST` you aren’t even allowing cake to sanitize the input
#	Jun 30th 2019, 10:57	challgren	You know CakePHP has SLQ injection built in if used correctly
#	Jun 30th 2019, 10:55	wgon0001	There are many articles and some attacker’s write-ups saying how they doing this. And I tried on yesterday it did works on my build with Cake 3.7
#	Jun 30th 2019, 10:53	slackebot	https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
#	Jun 30th 2019, 10:53	wgon0001	@challgren I am trying to prevent that statement been injected to database, common happens when user fill out register from. That link gives you an overview and analysis of how it could harm to php site. And now they are using such as ROT13 or base64 encrypted script to do the same things. And I am trying to build a input filter to prevent this.
#	Jun 30th 2019, 10:34	ra7bi	@ndm Thanks will check it out
#	Jun 30th 2019, 10:31	challgren	I'm not trying to be a dick or anything just trying to understand why you need to use eval
#	Jun 30th 2019, 10:30	challgren	@wgon0001 what exactly are you trying to accomplish with the eval? Let's look at your use case from a architecture view
#	Jun 30th 2019, 10:29	ra7bi	you can detect `eval` code but not prevent completely , the firewall can detect eval call but sometime can play around it
#	Jun 30th 2019, 10:28	wgon0001	Cheers, that’s what I looking for, I will try it out.
#	Jun 30th 2019, 10:28	ra7bi	so you should be very carefully
#	Jun 30th 2019, 10:28	ra7bi	there is no traditional way , if you prevent `@eval($_POST['value']);` i would use `@eval(base64_decode(base64_decode($_POST['value'])));`
#	Jun 30th 2019, 10:25	challgren	What exactly are you evaling and expecting?
#	Jun 30th 2019, 10:24	wgon0001	@ra7bi That’s what I want to prevent for attacker’s malware input, is there any functions that I can use in Cake or I have to write it in traditional PHP ways to detect and prevent it?
#	Jun 30th 2019, 10:17	slackebot	required though, you can use a fully qualifified name in the config and it will work just fine.
#	Jun 30th 2019, 10:17	ndm	@ra7bi You can put the file anywhere as long as it's autoloadable, CakePDF doesn't _enforce_ any conventions, but _uses_ the standard CakePHP ones in order to support short classnames (see for example https://book.cakephp.org/3.0/en/core-libraries/logging.html#logging-configuration). In order for the latter to work, you'd put it in `src/Pdf/Engine/`, and use a class/filename that ends with `Engine` (just like the built in ones do). It's not
#	Jun 30th 2019, 09:39	challgren	Ahh ok
#	Jun 30th 2019, 09:38	ra7bi	i preferred TCPDF , coz i know how to work with it much better and it support Arabic
#	Jun 30th 2019, 09:38	challgren	I know that engine seems much more complete in CakePdf
#	Jun 30th 2019, 09:37	challgren	Have you looked into wkHtmlToPdf
#	Jun 30th 2019, 09:37	ra7bi	Sure , thanks
#	Jun 30th 2019, 09:37	challgren	Honestly not sure, mess around and see what folder works maybe admad can help
#	Jun 30th 2019, 09:36	ra7bi	i dont want to touch the plugin folder
#	Jun 30th 2019, 09:35	ra7bi	is there any example where should i put the file of that engine ?
#	Jun 30th 2019, 09:31	challgren	Or extend TcpdfEngine
#	Jun 30th 2019, 09:27	challgren	You may have to write your own AbstractPdfEngine then
#	Jun 30th 2019, 09:27	ra7bi	` $this->viewBuilder()->setOptions([])` does not work
#	Jun 30th 2019, 09:27	ra7bi	i wana use ` $TCPDF->` object in my controller here is the original place `https://github.com/FriendsOfCake/CakePdf/blob/master/src/Pdf/Engine/TcpdfEngine.php`
#	Jun 30th 2019, 09:24	challgren	Only 2 people in this world use eval(), new programmers that don’t know anything about data sanitization, SQL injection bugs and security. Or those that want to push the limits of PHP. In this case I’m guessing its a new programmer. Because its not even using the CakePHP conventions of accessing the request object instead of the raw $_POST
#	Jun 30th 2019, 09:22	ra7bi	Yes , he need very deep filtering system but also he will be in risk
#	Jun 30th 2019, 09:20	challgren	You saw the code he posted right? He’s evaling unsanitized code. Major major security risk, phpMyAdmin, vBulletin have all had eval related security issues
#	Jun 30th 2019, 09:18	ra7bi	sometime he need eval in hook system but in cake already have plugin system
#	Jun 30th 2019, 09:14	challgren	“If eval() is the answer, you’re almost certainly asking the wrong question. -- Rasmus Lerdorf, BDFL of PHP”