GHSA-v42g-7q2x-cw32: Zendframework1 potential SQL injection vector using null byte for PDO (MsSql, SQLite)

June 7, 2024

The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.

We tested and verified the null byte injection using pdo_dblib (FreeTDS) on a Linux environment to access a remote Microsoft SQL Server, and also tested against and noted the vector against pdo_sqlite.

References

framework.zend.com/security/advisory/ZF2015-08
github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2015-08.yaml
github.com/advisories/GHSA-v42g-7q2x-cw32
github.com/zendframework/zf1

Detect and mitigate GHSA-v42g-7q2x-cw32 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →