PHPIDS Component Implementation for CakePHP

I posted a CakePHP component implementation of PHPIDS today. It includes the latest PHPIDS version (0.6.4).

What I like about the component implementation is that you set the actions you want to monitor when you import the component in the corresponding controllers or your main app_controller.php. Something like this:

var $components=array(‘Cakephpids’=>array( ‘protectedActions’=>array(‘login’,’add’,’register’,’display’)));

Putting this in your main app_controller will run the IDS only when the actions login,register and add are executed.


XSS vulnerabilities in Croogo CMS 1.3


Croogo CMS is prone to HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.


Vulnerable Software: 1.3
Full disclosure Date: 2010-06-14
Last Update: 2010-05-10
Critical: Low
Impact: HTML injection
           Session hijack
           Denial of service
           Code execution

Solution Status: Vendor informed and patch submitted to public repository


Croogo is a content management system gaining popularity rapidily in the CAKEPHP community.


Croogo CMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.


Attackers can exploit this issue with a web browser sending malicious code through the field ‘name’ located in the user registration form (http://site/users/add) or the field ‘data[Comment][body]’ in the “add a comment” form to comment on a post (http://site/comments/add/).

This time the field ‘data[Comment][body]’ gets sanitized correctly but Tipsy, a Javascript library in charge of creating the tooltips, decodes again the stored sanitized string and it allows html injection in the admin panel.


Upgrade to Croogo 1.3.1 or apply patch Croogo’s public repository


2010/05/08 – Vulnerability discovered
2010/05/08 – Vendor contacted
2010/05/1 2 – Patch submitted to Croogo’s public source code repositories
2010/06/14 – Full disclosure


Croogo CMS – Croogo CMS Official website
Croogo on GitHub – Croogo GitHub
Websec’s advisory permalink –