Security Fix: CakePHP 2.3.5 released

by lorenzo
After conducting a security audit on our code we have patched a possible security risk in current CakePHP release.

CakePHP 2.3.5 has just been released to fix a critical issue with how the webroot property in CakeRequest is handled that could potentially lead to XSS attacks on certain pages. In the following days we will offer a full description of the vulnerability and how it can be exploited, after some reasonable time has passed for our users to upgrade.

A huge thanks to Florian Krämer for conducting a full security audit on the CakePHP code and Carl Sutton for report and providing a candidate patch.

In addition to the security fix 2.3.4 contains fixes for the following issues:

  • Increasing compatibility with old CentOS servers and the way they handle PHP regular expressions
  • Preventing pagiation limit from overflowing the max integer value
  • Making sure form ids generated in FormHelper::postLink() are actually unique
  • Fixed a bug in TextHelper auto link utility

We recommend all users of 2.x release series upgrade as soon as possible to the new release.

Links

Report

More on News

Tags

Advertising

Comments

login to post a comment.