oss-sec mailing list archives
CVE Request: Zend Framework: Potential SQL injection in ORDER and GROUP statements of Zend_Db_Select
From: Salvatore Bonaccorso <carnil () debian org>
Date: Sat, 16 Jul 2016 05:43:37 +0200
Hi The Zend Framework project released security advisory ZF2016-02[0] to address a potential SQL injection in ORDER and GROUP statements of Zend_Db_Select.
From the advisory:
The implementation of ORDER BY and GROUP BY in Zend_Db_Select of ZF1 is vulnerable by the following SQL injection: $db = Zend_Db::factory(/* options here */); $select = new Zend_Db_Select($db); $select->from('p'); $select->order("MD5(\"(\");DELETE FROM p2; #)"); // same with group() The above $select will render the following SQL statement: SELECT `p`.* FROM `p` ORDER BY MD5("");DELETE FROM p2; #) ASC instead of the correct one: SELECT `p`.* FROM `p` ORDER BY "MD5("""");DELETE FROM p2; #)" ASC This security fix can be considered as an improvement of the previous ZF2014-04.
Upstream commit is at [1] as bf3f40605be3d8f136a07ae991079a7dcb34d967. [0] https://framework.zend.com/security/advisory/ZF2016-02 [1] https://github.com/zendframework/zf1/commit/bf3f40605be3d8f136a07ae991079a7dcb34d967 Could you please assign a CVE for this issue. Regards, Salvatore
Current thread:
- CVE Request: Zend Framework: Potential SQL injection in ORDER and GROUP statements of Zend_Db_Select Salvatore Bonaccorso (Jul 15)