• <cite id="jdh17"></cite>
    <ins id="jdh17"></ins>
    <var id="jdh17"></var>
    <ins id="jdh17"><span id="jdh17"><var id="jdh17"></var></span></ins>
    <var id="jdh17"></var>
    <cite id="jdh17"><span id="jdh17"></span></cite>
    <var id="jdh17"></var>
    <thead id="jdh17"><strike id="jdh17"><listing id="jdh17"></listing></strike></thead>
    <cite id="jdh17"><video id="jdh17"><menuitem id="jdh17"></menuitem></video></cite>

    Security

    Security Advisory: ZF2014-04

    ZF2014-04: Potential SQL injection in the ORDER implementation of Zend_Db_Select

    The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses.

    For instance, the following code is affected by this issue:

    $db     = Zend_Db::factory( /* options here */ );
    $select = $db->select()
        ->from(array('p' => 'products'))
        ->order('MD5(1); drop table products');
    echo $select;
    

    This code produce the string:

    SELECT "p".* FROM "products" AS "p" ORDER BY MD5(1);drop table products ASC
    

    instead of the correct one:

    SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);drop table products" ASC
    

    The SQL injection occurs because we create a new Zend_Db_Expr() object, in presence of parentheses, passing directly the value without any filter on the string.

    Action Taken

    We fixed the issue in the Zend_Db_Select::order() function using a more granular regular expression to match only SQL functions in an ORDER BY statement, such as ORDER BY ABS("zfproducts"."product_id").

    The new regular expression is '/^[\w]*\(.*\)$/' instead of the previous '/\(.*\)/'. This change fixes the issue, filtering the input using quotes for the previous attack.

    The previous SQL example with the fix is rendered in the correct way:

    SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);drop table products" ASC
    

    The patch is available starting in Zend Framework 1.12.7.

    Other Information

    This SQL injection attack does not affect Zend Framework 2 versions because the implementation of Zend\Db\Sql\Select::order() does not manage parenthetical expressions.

    Acknowledgments

    The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

    • Cassiano Dal Pizzol, who discovered the original issue;
    • Lars Kneschke, who analyzed and reported the issue;
    • Enrico Zimuel, who provided the patch.

    Released 2014-06-12

    Back to advisories

    Have you identified a security vulnerability?

    Please report it to us at [email protected]

    Copyright

    © 2006-2019 by Zend, a Rogue Wave Company. Made with by awesome contributors.

    This website is built using zend-expressive and it runs on PHP 7.

    Contacts

    六合特码资料
  • <cite id="jdh17"></cite>
    <ins id="jdh17"></ins>
    <var id="jdh17"></var>
    <ins id="jdh17"><span id="jdh17"><var id="jdh17"></var></span></ins>
    <var id="jdh17"></var>
    <cite id="jdh17"><span id="jdh17"></span></cite>
    <var id="jdh17"></var>
    <thead id="jdh17"><strike id="jdh17"><listing id="jdh17"></listing></strike></thead>
    <cite id="jdh17"><video id="jdh17"><menuitem id="jdh17"></menuitem></video></cite>
  • <cite id="jdh17"></cite>
    <ins id="jdh17"></ins>
    <var id="jdh17"></var>
    <ins id="jdh17"><span id="jdh17"><var id="jdh17"></var></span></ins>
    <var id="jdh17"></var>
    <cite id="jdh17"><span id="jdh17"></span></cite>
    <var id="jdh17"></var>
    <thead id="jdh17"><strike id="jdh17"><listing id="jdh17"></listing></strike></thead>
    <cite id="jdh17"><video id="jdh17"><menuitem id="jdh17"></menuitem></video></cite>
    彩票游戏赚钱 极速时时技巧方式 cf丝袜美女皮肤 新11选5开奖预测 华东15选5开奖号码30期 足球场地施工 28杠下载 黑龙江彩票开奖结果东方6十1 秒速时时反水 999978赛马会提供