Date: Sat, 16 Jul 2016 05:43:37 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Cc: taffit@...ian.org Subject: CVE Request: Zend Framework: Potential SQL injection in ORDER and GROUP statements of Zend_Db_Select Hi The Zend Framework project released security advisory ZF2016-02 to address a potential SQL injection in ORDER and GROUP statements of Zend_Db_Select. >From the advisory: > The implementation of ORDER BY and GROUP BY in Zend_Db_Select of ZF1 > is vulnerable by the following SQL injection: > > $db = Zend_Db::factory(/* options here */); > $select = new Zend_Db_Select($db); > $select->from('p'); > $select->order("MD5(\"(\");DELETE FROM p2; #)"); // same with group() > > The above $select will render the following SQL statement: > > SELECT `p`.* FROM `p` ORDER BY MD5("");DELETE FROM p2; #) ASC > > instead of the correct one: > > SELECT `p`.* FROM `p` ORDER BY "MD5("""");DELETE FROM p2; #)" ASC > > This security fix can be considered as an improvement of the previous > ZF2014-04. Upstream commit is at  as bf3f40605be3d8f136a07ae991079a7dcb34d967.  https://framework.zend.com/security/advisory/ZF2016-02  https://github.com/zendframework/zf1/commit/bf3f40605be3d8f136a07ae991079a7dcb34d967 Could you please assign a CVE for this issue. Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ