Advisory Database
  • Advisories
  • Dependency Scanning
  1. composer
  2. ›
  3. propel/propel
  4. ›
  5. GHSA-7vw7-qx38-37vr

GHSA-7vw7-qx38-37vr: Propel2 SQL injection possible with limit() on MySQL

May 20, 2024

The limit() query method is susceptible to catastrophic SQL injection with MySQL.

For example, given a model User for a table users:

UserQuery::create()->limit('1;DROP TABLE users')->find();

This will drop the users table!

The cause appears to be a lack of integer casting of the limit input in either Propel\Runtime\ActiveQuery\Criteria::setLimit() or in Propel\Runtime\Adapter\Pdo\MysqlAdapter::applyLimit(). The code comments there seem to imply that casting was avoided due to overflow issues with 32-bit integers.

This is surprising behavior since one of the primary purposes of an ORM is to prevent basic SQL injection.

This affects all versions of Propel: 1.x, 2.x, and 3.

References

  • github.com/FriendsOfPHP/security-advisories/blob/master/propel/propel/2018-02-14.yaml
  • github.com/advisories/GHSA-7vw7-qx38-37vr
  • github.com/propelorm/Propel2
  • github.com/propelorm/Propel2/commit/cd23d7384a15cfe203e23b3a835c8ab1d81d9246
  • github.com/propelorm/Propel2/issues/1463
  • github.com/propelorm/Propel2/pull/1464

Code Behaviors & Features

Detect and mitigate GHSA-7vw7-qx38-37vr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 2.0.0-alpha1 before 2.0.0-alpha8

Fixed versions

  • 2.0.0-alpha8

Solution

Upgrade to version 2.0.0-alpha8 or above.

Impact 9.8 CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Source file

packagist/propel/propel/GHSA-7vw7-qx38-37vr.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:16:09 +0000.