Security Advisory

AG2014-01: Potential Database Injection Vector in DB-Connected REST Services

zf-apigility contains a class, ZF\Apigility\DbConnectedResource, used by all DB-Connected REST services for prototyping web services that write to a database table, or for simple CRUD-style web services.

This class was correctly pulling data from the composed input filter, if any, for create() operations. However, it was not doing so for update() and patch() operations, leading to the potential for unfiltered data to make its way to the database.

Note, however, that this is not a SQL injection vulnerability, as database updates were still using the underlying database abstraction layer. However, in cases where values are expected to be normalized, unfiltered versions could enter the database; additionally, if any data not matching existing database columns were provided, database errors could occur.

Action Taken

Each of the create(), update(), and patch() operations in the ZF\Apigility\DbConnectedResource class were updated to always pull data from the composed input filter when present.

The following releases contain the fixes:

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

back to advisories