ugh, so a user/attacker that POSTs a request with an "id" parameter is able to overwrite another user's data?
In this place only the password, but after that other things as well except the btc accounts.
this bit of code:
$this->Recipe->save($this->request->data);
looks awfully scary
...if it happens in one place, it's likely to happen in other parts of the code.
Yes
...if it happens in one place, it's likely to happen in other parts of the code.
We have reviewed the whole code. This was the only place where this construct was used.
i'm not an expert with cake, but i do know it does a lot of automagical things, so passing a user controlled data structure (request->data) to a magical DB storage method just feels wrong.
The code was like this:
$this->User->id=$this->Auth->user('id');
if ($this->User->save($this->data,array('fieldList'=>array('pass','pass2')))) ...
Only 2 elements should be saved, but apparently data[User][id] overwrites User->id.
We try to limit application of 3rd part software to a minimum.
We will add more security by notifying the user via email of any changes to the account, withdraw attempts and many other things that happen on the system.
Modifications will freeze the account for some period of time so that the user can react.
The admin will be also notified of strange trading orders.