We have identified and fixed the problem. CakePHP does not set the id of the record correctly when saving data (
http://book.cakephp.org/1.2/en/The-Manual/Developing-with-CakePHP/Models.html):
... // Update: id is set to a numerical value
$this->Recipe->id = 2;
$this->Recipe->save($this->request->data);
...
this does not work properly as Recipe->id is overwritten by data;
The intruder was able to overwrite the passwords of other users (and no other fields in any of the tables).
The intruder used this page for the attack:
https://mullvad.net/en/about.php ... we have notified the owners.
Tomorrow we will clean the damage and revert the state of the shares of the "proph" asset. Other assets were not affected.
ugh, so a user/attacker that POSTs a request with an "id" parameter is able to overwrite another user's data?
this bit of code:
$this->Recipe->save($this->request->data);
looks awfully scary...if it happens in one place, it's likely to happen in other parts of the code. i'm not an expert with cake, but i do know it does a lot of automagical things, so passing a user controlled data structure (request->data) to a magical DB storage method just feels wrong.