Security

Security Advisory: ZF2014-06

ZF2014-06: SQL injection vector when manually quoting values for sqlsrv extension, using null byte

The sqlsrv PHP extension, which provides the ability to connect to Microsoft SQL Server from PHP, does not provide a built-in quoting mechanism for manually quoting values to pass via SQL queries; developers are encouraged to use prepared statements. Zend Framework provides quoting mechanisms via Zend Framework 1's Zend_Db_Adapter_Sqlsrv and Zend Framework 2's Zend\Db\Adapter\Platform\SqlServer classes; these traditionally use the recommended "double single quote" ('') as quoting delimiters.

SQL Server treats null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.

Developers using the relevant PDO_Sqlsrv adapter in any version of Zend Framework are not vulnerable to this attack, as PDO provides a native quoting mechanism that prevents the attack vector.

Action Taken

When quoting values for SQL server, we now pass them to PHP's addcslashes function to sanitize and properly quote null bytes:

$value = addcslashes($value, "\000\032");

This action quotes null bytes, preventing SQL injection vectors.

The following releases contain the fixes:

  • Zend Framework 1.12.9
  • Zend Framework 2.2.8
  • Zend Framework 2.3.3

If you are using an affected version of PHP, and utilizing the sqlsrv PHP extensio within Zend Framework, we highly recommend upgrading immediately.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Jonas Sandström, who discovered and reported the issue against the Zend_Db_Adapter_Sqlsrv component of ZF1;
  • Matthew Weier O'Phinney, who provided the patch.

Released 2014-09-18

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

Copyright

© 2006-2019 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts