VYPR
← All advisories
High severityNVD Advisory· Published Jan 14, 2011· Updated Apr 29, 2026

CVE-2010-4335

CVE-2010-4335

Description

The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the file_map cache to execute arbitrary local files.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
cakephp/cakephpPackagist
>= 1.2.8, < 1.3.61.3.6

Affected products

14
  • Cakefoundation/Cakephp
    cpe:2.3:a:cakefoundation:cakephp:1.3.0:*:*:*:*:*:*:*
  • Cakephp/Cakephp13 versions
    cpe:2.3:a:cakephp:cakephp:1.2.8:*:*:*:*:*:*:*+ 12 more
    • cpe:2.3:a:cakephp:cakephp:1.2.8:*:*:*:*:*:*:*
    • cpe:2.3:a:cakephp:cakephp:1.3.0:alpha:*:*:*:*:*:*
    • cpe:2.3:a:cakephp:cakephp:1.3.0:beta:*:*:*:*:*:*
    • cpe:2.3:a:cakephp:cakephp:1.3.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:cakephp:cakephp:1.3.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:cakephp:cakephp:1.3.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:cakephp:cakephp:1.3.0:rc4:*:*:*:*:*:*
    • cpe:2.3:a:cakephp:cakephp:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cakephp:cakephp:1.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cakephp:cakephp:1.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cakephp:cakephp:1.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cakephp:cakephp:1.3.5:*:*:*:*:*:*:*
    • cpe:2.3:a:cakephp:cakephp:1.3:dev:*:*:*:*:*:*

Patches

1
e431e86aa430

Fixing issue found by Felix Wilhelm(flxm) where users could send potentially dangerous or corrupted serialized objects to SecurityComponent, potentially allowing manipulation of file map caches. Test case added.

https://github.com/cakephp/cakephpmark_storyNov 8, 2010via ghsa
commit
2 files changed · +30 1
  • cake/libs/controller/components/security.php+6 1 modified
    @@ -618,10 +618,15 @@ function _validatePost(&$controller) {
 		}
 		unset($check['_Token']);
 
+		$locked = str_rot13($locked);
+		if (preg_match('/(\A|;|{|})O\:[0-9]+/', $locked)) {
+			return false;
+		}
+
 		$lockedFields = array();
 		$fields = Set::flatten($check);
 		$fieldList = array_keys($fields);
-		$locked = unserialize(str_rot13($locked));
+		$locked = unserialize($locked);
 		$multi = array();
 
 		foreach ($fieldList as $i => $key) {
  • cake/tests/cases/libs/controller/components/security.test.php+24 0 modified
    @@ -608,6 +608,30 @@ function testValidatePostFormHacking() {
 		$result = $this->Controller->Security->validatePost($this->Controller);
 		$this->assertFalse($result, 'validatePost passed when key was missing. %s');
 	}
+
+/**
+ * Test that objects can't be passed into the serialized string. This was a vector for RFI and LFI 
+ * attacks. Thanks to Felix Wilhelm
+ *
+ * @return void
+ */
+	function testValidatePostObjectDeserialize() {
+		$this->Controller->Security->startup($this->Controller);
+		$key = $this->Controller->params['_Token']['key'];
+		$fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877';
+
+		// a corrupted serialized object, so we can see if it ever gets to deserialize
+		$attack = 'O:3:"App":1:{s:5:"__map";a:1:{s:3:"foo";s:7:"Hacked!";s:1:"fail"}}';
+		$fields .= urlencode(':' . str_rot13($attack));
+
+		$this->Controller->data = array(
+			'Model' => array('username' => 'mark', 'password' => 'foo', 'valid' => '0'),
+			'_Token' => compact('key', 'fields')
+		);
+		$result = $this->Controller->Security->validatePost($this->Controller);
+		$this->assertFalse($result, 'validatePost passed when key was missing. %s');
+	}
+
 /**
  * Tests validation of checkbox arrays
  *

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.