Security Advisory

ZF2011-02: Potential SQL Injection Vector When Using PDO_MySql

Executive Summary

Developers using non-ASCII-compatible encodings in conjunction with the MySQL PDO driver of PHP may be vulnerable to SQL injection attacks. Developers using ASCII-compatible encodings like UTF8 or latin1 are not affected by this PHP issue, which is described in more detail here:

• http://bugs.php.net/bug.php?id=47802

The PHP Group included a feature in PHP 5.3.6+ that allows any character set information to be passed as part of the DSN in PDO to allow both the database as well as the C-level driver to be aware of which charset is in use which is of special importance when PDO's quoting mechanisms are utilized, which Zend Framework also relies on.

Action Taken

Zend_Db was patched to ensure that any charset information provided to the PDO MySQL adapter will be sent to PDO both as part of the DSN as well as in a SET NAMES query. This ensures that any developer using ZF on PHP 5.3.6+ while using non-ASCII compatible encodings is safe from SQL injection while using the PDO's quoting mechanisms or emulated prepared statements.

The patch has been applied starting in versions 1.11.6 and 1.10.9 of Zend Framework.

Recommendations

If you are using non-ASCII compatible encodings, such as GBK, in conjunction with PDO's MySQL adapter, we strongly urge you to consider upgrading to at least PHP 5.3.6 and use Zend Framework version 1.11.6 or greater, or 1.10.9 if still using the 1.10 series of releases.

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

• Anthony Ferrara

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

• Component(s) affected
• A description indicating how to reproduce the issue
• A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

• We will patch the current release branch, as well as the immediate prior minor release branch.
• After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
• A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

back to advisories