GHSA-6fqw-j3vm-7f66

Suggest an improvement
Source
https://github.com/advisories/GHSA-6fqw-j3vm-7f66
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-6fqw-j3vm-7f66/GHSA-6fqw-j3vm-7f66.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6fqw-j3vm-7f66
Published
2024-06-07T22:27:32Z
Modified
2024-12-04T05:30:08.267416Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Zendframework1 Potential SQL injection in ORDER and GROUP functions
Details

The implementation of ORDER BY and GROUP BY in ZendDbSelect remained prone to SQL injection when a combination of SQL expressions and comments were used. This security patch provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur.

The implementation of ORDER BY and GROUP BY in ZendDbSelect of ZF1 is vulnerable by the following SQL injection:

$db = Zend_Db::factory(/* options here */);
$select = new Zend_Db_Select($db);
$select->from('p');
$select->order("MD5(\"a(\");DELETE FROM p2; #)"); // same with group()

The above $select will render the following SQL statement:

SELECT `p`.* FROM `p` ORDER BY MD5("a(");DELETE FROM p2; #) ASC

instead of the correct one:

SELECT "p".* FROM "p" ORDER BY "MD5(""a("");DELETE FROM p2; #)" ASC

This security fix can be considered an improvement of the previous ZF2016-02 and ZF2014-04 advisories.

As a final consideration, we recommend developers either never use user input for these operations, or filter user input thoroughly prior to invoking ZendDb. You can use the ZendDb_Select::quoteInto() method to filter the input data, as shown in this example:

$db    = Zend_Db::factory(...);
$input = "MD5(\"a(\");DELETE FROM p2; #)"; // user input can be an attack
$order = $db->quoteInto("SQL statement for ORDER", $input);

$select = new Zend_Db_Select($db);
$select->from('p');
$select->order($order); // same with group()
Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T22:27:32Z"
}
References

Affected packages

Packagist / zendframework/zendframework1

Package

Name
zendframework/zendframework1
Purl
pkg:composer/zendframework/zendframework1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.12.20

Affected versions

1.*

1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.12.6
1.12.7
1.12.8
1.12.9
1.12.10
1.12.11
1.12.12
1.12.13
1.12.14
1.12.15
1.12.16
1.12.17
1.12.18
1.12.19