====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN281
____________________________________________________________________

DATE                :  18/07/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running CakePHP versions prior to 2.1.5,
                                    2.2.1.

======================================================================
http://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1
______________________________________________________________________

Security Release - CakePHP 2.1.5 & 2.2.1
by markstory on July 14, 2012

CakePHP 2.1.5 and 2.2.1 have just been released. If you are using
CakePHP's `Xml` class, you should upgrade as soon as possible.

The security issue was recently reported by Paweł Wyleciał. When
accepting user provided XML it is possible to read arbitrary files
using external entities. This is particularily dangerous for
applications accepting XML data as part of a webservice. A possible
exploit example would be:

curl -X POST -H 'Content-Type: application/xml' locahost/posts -d
'<!DOCTYPE cakephp [ <!ENTITY payload SYSTEM "file:///etc/passwd" >]>
<Post> <body>&payload;</body> </Post>]'

Once the XML has been processed $this->request->data['Post']['body']
will contain the contents of /etc/passwd. This issue was fixed and
packaged releases for 2.1 and 2.2 have been created. This issue does
not affect the 1.3 or 1.2 release series. If you are unable to upgrade,
you should apply the patch as soon as possible.


Other fixes in 2.2.1

In addition to the security fix 2.2.1 contains fixes for the following
issues:

    Fixed missing urlencode on nested named parameters.
    Fixed ANSI codes being output on windows terminals.
    Fixed HtmlHelper::image() including the base directory twice when
the fullBase option is used.
    Console logging now respects the quiet flag for shells.
    TranslateBehavior now saves records with only some translated
fields correctly.
    afterValidate() was made available on behaviors. This was an
omission in 2.2.0.

View the complete changelog for 2.2.1 and 2.1.5. Download a packaged
release.

CakeFest 2012 is around the corner and we already expect awesome talks
and workshops during the best PHP conference out there. If you haven't
booked your tickets yet, it's about time you do.

As always, thanks to the friendly CakePHP community for the patches,
documentation changes and new tickets. Without you there would be no
CakePHP!


Links

[1] http://cakephp.org/changelogs/2.2.1

[2] http://cakephp.org/changelogs/2.1.5

[3] http://github.com/cakephp/cakephp/tags

[4] http://cakefest.org

======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================