The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.
We tested and verified the null byte injection using pdo_dblib (FreeTDS) on a
Linux environment to access a remote Microsoft SQL Server, and also tested
against and noted the vector against pdo_sqlite.
We added null byte filtering in the PDO abstract component
Zend_Db_Adapter_Pdo_Abstract. We decided to use the abstract component to
prevent null byte injection in all the PDO adapters once we discovered the
situation was not specific to pdo_dblib.
We used the PHP's addcslashes to sanitize and properly quote null bytes:
$value = addcslashes($value, "\000\032");
The following releases contain the fixes:
If you use one of the PDO-based adapters in Zend Framework 1, we recommend upgrading to 1.12.16 immediately.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Zend_Db_Adapter_Pdo_Mssql component of ZF1;Released 2015-09-15
Have you identified a security vulnerability?
Please report it to us at zf-security@zend.com