Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 16 Jul 2016 05:43:37 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: taffit@...ian.org
Subject: CVE Request: Zend Framework: Potential SQL injection in ORDER and
 GROUP statements of Zend_Db_Select

Hi

The Zend Framework project released security advisory ZF2016-02[0] to
address a potential SQL injection in ORDER and GROUP statements of
Zend_Db_Select.

>From the advisory:

> The implementation of ORDER BY and GROUP BY in Zend_Db_Select of ZF1
> is vulnerable by the following SQL injection:
>
> $db = Zend_Db::factory(/* options here */);
> $select = new Zend_Db_Select($db);
> $select->from('p');
> $select->order("MD5(\"(\");DELETE FROM p2; #)"); // same with group()
>
> The above $select will render the following SQL statement:
>
> SELECT `p`.* FROM `p` ORDER BY MD5("");DELETE FROM p2; #) ASC
>
> instead of the correct one:
>
> SELECT `p`.* FROM `p` ORDER BY "MD5("""");DELETE FROM p2; #)" ASC
>
> This security fix can be considered as an improvement of the previous
> ZF2014-04.

Upstream commit is at [1] as bf3f40605be3d8f136a07ae991079a7dcb34d967.

 [0] https://framework.zend.com/security/advisory/ZF2016-02
 [1]  https://github.com/zendframework/zf1/commit/bf3f40605be3d8f136a07ae991079a7dcb34d967

Could you please assign a CVE for this issue.

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ