CakePHP Unsafe Configuration

ID

php.cakephp_unsafe_configuration

Severity

high

Resource

Misconfiguration

Language

Php

Tags

CWE:489, CWE:613, CakePHP, NIST.SP.800-53, OWASP:2021:A5, OWASP:2021:A7, PCI-DSS:6.5.6

Description

Unsafe configurations in CakePHP can lead to security vulnerabilities.

Rationale

Some of the CakePhp configurations may lead to security vulnerabilities:

  • debug: When enabled it may lead to sensitive information exposure.

  • Security.level: A low value may result into an excessive session timeout.

Here is a vulnerable code example for CakePHP:

<?php
    use Cake\Core\Configure;

    Configure::write('debug', 3);  // FLAW
    Configure::write('Security.level', 'low'); // FLAW
?>

In the code above, both debug and Security.level are not used properly.

Also, this is configurable in the config/app.php file for CakePHP:

<?php
return [
    'debug' => true, // FLAW

    'Security' => [
        'salt' => '__SALT__',
        'level' => 'low'  // FLAW
    ],
];

Remediation

The sanitized version of the previous example would look like this:

<?php
return [
    'debug' => false,

    'Security' => [
        'salt' => '__SALT__',
        'level' => 'medium'
    ],
];

Configuration

The detector has the following configurable parameters:

  • checkDebug, that indicates if the debug configuration must be checked.

  • checkSecurityLevel, that indicates if the Security.level configuration must be checked.

References