Security

Security Advisory: ZF2013-03

ZF2013-03: Potential SQL injection due to execution of platform-specific SQL containing interpolations

The Zend\Db component in Zend Framework 2 provides platform abstraction, which is used in particular for SQL abstraction. Two methods defined in the platform interface, quoteValue() and quoteValueList(), allow users to manually quote values for creating SQL statements; these are in turn consumed by aspects of the SQL abstraction platform, including Zend\Db\Sql\Sql::getSqlStringForSqlObject(), and the getSqlString() method provided in a number of classes in the Zend\Db\Sql namespace.

While these methods are primarily intended for debugging and logging purposes, developers can use them to produce SQL that is then passed to the driver to execute. Due to a flaw in how the quoteValue() and quoteValueList() methods were written, this can lead to potential SQL injection.

The offending code is located in any of the Zend\Db\Adapter\Platform* objects, particularly the quoteValue() and quoteValueList() methods. These methods did not take into account most of the possible escapable characters that would need to be escaped when attempting to create a quoted value for interpolation into a SQL string. Moreover, these methods did value quoting without extension level coordination which, when available, takes character-sets into account when quoting.

Action Taken

We have made the following changes to the Platform objects:

  • Platform objects now accept the Driver as an optional parameter. This allows quoteValue() to use the driver level quoting/escaping mechanism to provide an "as safe as possible" value.
  • If a driver level quoting/escaping function is not available, the Platform object will throw an E_USER_NOTICE.
  • A new API was introduced for the use cases that need quoting without the possibility of a warning being triggered: Zend\Db\Adapter\Platform\PlatformInterface::quoteTrustedValue().

Recommendations

You are only affected by this as an issue if you directly consume one of the following API's in your code, and execute the results with your database adapter:

  • Zend\Db\Adapter\Platform*::quoteValue()
  • Zend\Db\Adapter\Platform*::quoteValueList()
  • Zend\Db\Sql\Sql->getSqlStringForSqlObject()
  • Zend\Db\Sql\Select->getSqlString()
  • Zend\Db\Sql\Insert->getSqlString()
  • Zend\Db\Sql\Update->getSqlString()
  • Zend\Db\Sql\Delete->getSqlString()

ZF2's Zend\Db and other components that utilize Zend\Db never directly rely on interpolation of values into SQL strings. This means that unless you find any of the above calls in your code, or any code that effectively calls quoteValue(), this issue does not affect you.

If you do, however, we recommend immediately upgrading to either version 2.0.8 or 2.1.4.

While this advice can be found in many places, it is always worth repeating: you should never rely on interpolation of values into SQL strings; always use prepared statements / parameterization / extension specific value binding.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Axel Helmert for alerting us to the issue
  • Ralph Schindler for implementing a solution

Released 2013-03-14

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts