CakePHP Arbitrary File Access
Vendor: Cake Software Foundation
Product: CakePHP
Version: <= 1.1.7.3363
Website: http://cakephp.org/
BID: 20150
CVE: CVE-2006-5031
OSVDB: 29055
SECUNIA: 22040
Description:
CakePHP is a RAD (Rapid Application Framework) framework for PHP which uses commonly known design patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC. Unfortunately CakePHP is vulnerable to an arbitrary file access vulnerability due to unsafe use of the readfile function that allows for an attacker to read any file on the system that the webserver has read access to. This could be used to read password files or sensitive configuration data etc. An updated version of CakePHP has been released and users encouraged to upgrade their CakePHP installations as soon as possible.


Arbitrary File Access
CakePHP allows for developers to create dynamic content in a way similar to Ruby On Rails. One of the files that allows for front end access to javascript for visitors is vulnerable to an arbitrary file access vulnerability that allows an attacker to read any file on the system that the webserver has read access to. Below is the vulnerable code from vendors.php
if (is_file('../../vendors/javascript/' . $_GET['file']) && (preg_match('/(.+)\\.js/', $_GET['file']))) {
	readfile('../../vendors/javascript/' . $_GET['file']);
}

As seen above the only sanity checks made on the "file" variable are to see if it contains a *.js file name. Of course an attacker can easily bypass this check.
http://www.example.com/js/vendors.php?file=../../../../.htpasswd%00foobar.js



Solution:
The CakePHP development team have released an updated version of CakePHP to address this issue. Users are encouraged to upgrade their CakePHP installations as soon as possible.


Credits:
James Bercegay of the GulfTech Security Research Team