Security

Security Advisory: ZF2015-08

ZF2015-08: Potential SQL injection vector using null byte for PDO (MsSql, SQLite)

The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.

We tested and verified the null byte injection using pdo_dblib (FreeTDS) on a Linux environment to access a remote Microsoft SQL Server, and also tested against and noted the vector against pdo_sqlite.

Action Taken

We added null byte filtering in the PDO abstract component Zend_Db_Adapter_Pdo_Abstract. We decided to use the abstract component to prevent null byte injection in all the PDO adapters once we discovered the situation was not specific to pdo_dblib.

We used the PHP's addcslashes to sanitize and properly quote null bytes:

$value = addcslashes($value, "\000\032");

The following releases contain the fixes:

  • Zend Framework 1.12.16

Recommendations

If you use one of the PDO-based adapters in Zend Framework 1, we recommend upgrading to 1.12.16 immediately.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Chris Kings-Lynne, who discovered and reported the issue against the Zend_Db_Adapter_Pdo_Mssql component of ZF1;
  • Enrico Zimuel, who provided the patch.

Released 2015-09-15

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

Copyright

© 2006-2017 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts