Zend PDO (MsSql, SQLite) Potential SQL injection vector using null byte

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1041151 漏洞类型
发布时间 2015-09-30 更新时间 2015-09-30
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2015090195
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.

We tested and verified the null byte injection using pdo_dblib (FreeTDS) on a Linux environment to access a remote Microsoft SQL Server, and also tested against and noted the vector against pdo_sqlite.


Action Taken
We added null byte filtering in the PDO abstract component Zend_Db_Adapter_Pdo_Abstract. We decided to use the abstract component to prevent null byte injection in all the PDO adapters once we discovered the situation was not specific to pdo_dblib.

We used the PHP's addcslashes to sanitize and properly quote null bytes:

$value = addcslashes($value, "\000\032");

The following releases contain the fixes:
Zend Framework 1.12.16


Recommendations

If you use one of the PDO-based adapters in Zend Framework 1, we recommend upgrading to 1.12.16 immediately.


Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

Chris Kings-Lynne, who discovered and reported the issue against the Zend_Db_Adapter_Pdo_Mssql component of ZF1;
Enrico Zimuel, who provided the patch.