The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.
We tested and verified the null byte injection using pdo_dblib (FreeTDS) on a Linux environment to access a remote Microsoft SQL Server, and also tested against and noted the vector against pdo_sqlite.
We added null byte filtering in the PDO abstract component Zend_Db_Adapter_Pdo_Abstract. We decided to use the abstract component to prevent null byte injection in all the PDO adapters once we discovered the situation was not specific to pdo_dblib.
We used the PHP's addcslashes to sanitize and properly quote null bytes:
$value = addcslashes($value, "\000\032");
The following releases contain the fixes:
Zend Framework 1.12.16
If you use one of the PDO-based adapters in Zend Framework 1, we recommend upgrading to 1.12.16 immediately.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Chris Kings-Lynne, who discovered and reported the issue against the Zend_Db_Adapter_Pdo_Mssql component of ZF1;
Enrico Zimuel, who provided the patch.