CakePHP Security Assessment
In the Summer of 2017, Mozilla engaged NCC Group to perform a security assessment of the CakePHP framework under the Secure Open Source track of the Mozilla Open Source Support program, which aims to help improve the security of Free and Open Source Software by funding security audits of vital projects.
CakePHP is a web application framework that provides a Model-View-Controller (MVC) architecture. It is written in PHP and licensed under the MIT license. Its home page is https://cakephp.org/, and the current version at the time of the test was 3.5.0-RC1.
NCC Group identified specific security flaws that could affect certain applications that use specific CakePHP features, as well as areas in which CakePHP’s defaults are insecure.
The assessment was done by three consultants over three calendar weeks, from July 31 to August 18, 2017. The consultants reviewed the CakePHP source code and performed dynamic testing using the standard CakePHP tutorial application as well as other test applications built by the consultants.
Published date:  20 November 2017