Security Advisory
ZF2013-03: Potential SQL injection due to execution of platform-specific SQL containing interpolations
The Zend\Db component in Zend Framework 2 provides platform
abstraction, which is used in particular for SQL abstraction. Two methods
defined in the platform interface, quoteValue() and
quoteValueList(), allow users to manually quote values for
creating SQL statements; these are in turn consumed by aspects of the
SQL abstraction platform, including Zend\Db\Sql\Sql::getSqlStringForSqlObject(),
and the getSqlString() method provided in a number of
classes in the Zend\Db\Sql namespace.
While these methods are primarily intended for debugging and logging purposes,
developers can use them to produce SQL that is then passed to the driver to
execute. Due to a flaw in how the quoteValue() and
quoteValueList() methods were written, this can lead to potential
SQL injection.
The offending code is located in any of the Zend\Db\Adapter\Platform*
objects, particularly the quoteValue() and quoteValueList() methods. These
methods did not take into account most of the possible escapable characters
that would need to be escaped when attempting to create a quoted value for
interpolation into a SQL string. Moreover, these methods did value quoting
without extension level coordination which, when available, takes
character-sets into account when quoting.
Action Taken
We have made the following changes to the Platform objects:
- Platform objects now accept the Driver as an optional parameter. This
allows
quoteValue()to use the driver level quoting/escaping mechanism to provide an "as safe as possible" value. - If a driver level quoting/escaping function is not available, the
Platform object will throw an
E_USER_NOTICE. - A new API was introduced for the use cases that need quoting without
the possibility of a warning being triggered:
Zend\Db\Adapter\Platform\PlatformInterface::quoteTrustedValue().
Recommendations
You are only affected by this as an issue if you directly consume one of the following API's in your code, and execute the results with your database adapter:
Zend\Db\Adapter\Platform*::quoteValue()Zend\Db\Adapter\Platform*::quoteValueList()Zend\Db\Sql\Sql->getSqlStringForSqlObject()Zend\Db\Sql\Select->getSqlString()Zend\Db\Sql\Insert->getSqlString()Zend\Db\Sql\Update->getSqlString()Zend\Db\Sql\Delete->getSqlString()
ZF2's Zend\Db and other components that utilize
Zend\Db never directly rely on interpolation of values into SQL
strings. This means that unless you find any of the above calls in your code,
or any code that effectively calls quoteValue(), this issue does
not affect you.
If you do, however, we recommend immediately upgrading to either version 2.0.8 or 2.1.4.
While this advice can be found in many places, it is always worth repeating: you should never rely on interpolation of values into SQL strings; always use prepared statements / parameterization / extension specific value binding.
Other Information
Acknowledgments
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
- Axel Helmert for alerting us to the issue
- Ralph Schindler for implementing a solution
Reporting Potential Security Issues
If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.
When reporting issues, please provide the following information:
- Component(s) affected
- A description indicating how to reproduce the issue
- A summary of the security vulnerability and impact
We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.
For sensitive email communications, please use our PGP key.
Policy
Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:
- We will patch the current release branch, as well as the immediate prior minor release branch.
- After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
- A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)