logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-6fqw-j3vm-7f66 zendframework/zendframework1

Package

Manager: composer
Name: zendframework/zendframework1
Vulnerable Version: >=0 <1.12.20

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Zendframework1 Potential SQL injection in ORDER and GROUP functions The implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone to SQL injection when a combination of SQL expressions and comments were used. This security patch provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur. The implementation of ORDER BY and GROUP BY in Zend_Db_Select of ZF1 is vulnerable by the following SQL injection: ``` $db = Zend_Db::factory(/* options here */); $select = new Zend_Db_Select($db); $select->from('p'); $select->order("MD5(\"a(\");DELETE FROM p2; #)"); // same with group() ``` The above $select will render the following SQL statement: ``` SELECT `p`.* FROM `p` ORDER BY MD5("a(");DELETE FROM p2; #) ASC ``` instead of the correct one: ``` SELECT "p".* FROM "p" ORDER BY "MD5(""a("");DELETE FROM p2; #)" ASC ``` This security fix can be considered an improvement of the previous ZF2016-02 and ZF2014-04 advisories. As a final consideration, we recommend developers either never use user input for these operations, or filter user input thoroughly prior to invoking Zend_Db. You can use the Zend_Db_Select::quoteInto() method to filter the input data, as shown in this example: ``` $db = Zend_Db::factory(...); $input = "MD5(\"a(\");DELETE FROM p2; #)"; // user input can be an attack $order = $db->quoteInto("SQL statement for ORDER", $input); $select = new Zend_Db_Select($db); $select->from('p'); $select->order($order); // same with group() ```

Metadata

Created: 2024-06-07T22:27:32Z
Modified: 2024-06-07T22:27:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-6fqw-j3vm-7f66/GHSA-6fqw-j3vm-7f66.json
CWE IDs: ["CWE-89"]
Alternative ID: N/A
Finding: F297
Auto approve: 1