• <cite id="jdh17"></cite>
    <ins id="jdh17"></ins>
    <var id="jdh17"></var>
    <ins id="jdh17"><span id="jdh17"><var id="jdh17"></var></span></ins>
    <var id="jdh17"></var>
    <cite id="jdh17"><span id="jdh17"></span></cite>
    <var id="jdh17"></var>
    <thead id="jdh17"><strike id="jdh17"><listing id="jdh17"></listing></strike></thead>
    <cite id="jdh17"><video id="jdh17"><menuitem id="jdh17"></menuitem></video></cite>

    Security

    Security Advisory: ZF2016-03

    ZF2016-03: Potential SQL injection in ORDER and GROUP functions of ZF1

    The implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone to SQL injection when a combination of SQL expressions and comments were used. This security patch provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur.

    The implementation of ORDER BY and GROUP BY in Zend_Db_Select of ZF1 is vulnerable by the following SQL injection:

    $db = Zend_Db::factory(/* options here */);
    $select = new Zend_Db_Select($db);
    $select->from('p');
    $select->order("MD5(\"a(\");DELETE FROM p2; #)"); // same with group()
    

    The above $select will render the following SQL statement:

    SELECT `p`.* FROM `p` ORDER BY MD5("a(");DELETE FROM p2; #) ASC
    

    instead of the correct one:

    SELECT "p".* FROM "p" ORDER BY "MD5(""a("");DELETE FROM p2; #)" ASC
    

    This security fix can be considered an improvement of the previous ZF2016-02 and ZF2014-04 advisories.

    As a final consideration, we recommend developers either never use user input for these operations, or filter user input thoroughly prior to invoking Zend_Db. You can use the Zend_Db_Select::quoteInto() method to filter the input data, as shown in this example:

    $db    = Zend_Db::factory(...);
    $input = "MD5(\"a(\");DELETE FROM p2; #)"; // user input can be an attack
    $order = $db->quoteInto("SQL statement for ORDER", $input);
    
    $select = new Zend_Db_Select($db);
    $select->from('p');
    $select->order($order); // same with group()
    

    Action Taken

    We fixed the reported SQL injection by removing comments from the SQL statement before passing it to either the order() or group() methods; this patch effectively solves any comment-based SQLi vectors.

    We used the following regex to remove comments from a SQL statement:

    const REGEX_SQL_COMMENTS = '@
        (([\'"]).*?[^\\\]\2) # $1 : Skip single & double quoted expressions
        |(                   # $3 : Match comments
            (?:\#|--).*?$    # - Single line comments
            |                # - Multi line (nested) comments
             /\*             #   . comment open marker
                (?: [^/*]    #   . non comment-marker characters
                    |/(?!\*) #   . ! not a comment open
                    |\*(?!/) #   . ! not a comment close
                    |(?R)    #   . recursive case
                )*           #   . repeat eventually
            \*\/             #   . comment close marker
        )\s*                 # Trim after comments
        |(?<=;)\s+           # Trim after semi-colon
        @msx';
    

    The patch is available starting in Zend Framework 1.12.20.

    Other Information

    This SQL injection attack does not affect Zend Framework 2 and 3 versions because the implementations of Zend\Db\Sql\Select::order() and Zend\Db\Sql\Select::group() do not manage parenthetical expressions.

    Acknowledgments

    The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

    • Hiroshi Tokumaru (HASH Consulting Corp.), who discovered the issue;
    • Masanobu Katagi (Japan Computer Emergency Response Team Coordination Center), who reported the issue;
    • Enrico Zimuel, who provided the patch.

    Released 2016-09-08

    Back to advisories

    Have you identified a security vulnerability?

    Please report it to us at [email protected]

    Copyright

    © 2006-2019 by Zend, a Rogue Wave Company. Made with by awesome contributors.

    This website is built using zend-expressive and it runs on PHP 7.

    Contacts

    六合特码资料
  • <cite id="jdh17"></cite>
    <ins id="jdh17"></ins>
    <var id="jdh17"></var>
    <ins id="jdh17"><span id="jdh17"><var id="jdh17"></var></span></ins>
    <var id="jdh17"></var>
    <cite id="jdh17"><span id="jdh17"></span></cite>
    <var id="jdh17"></var>
    <thead id="jdh17"><strike id="jdh17"><listing id="jdh17"></listing></strike></thead>
    <cite id="jdh17"><video id="jdh17"><menuitem id="jdh17"></menuitem></video></cite>
  • <cite id="jdh17"></cite>
    <ins id="jdh17"></ins>
    <var id="jdh17"></var>
    <ins id="jdh17"><span id="jdh17"><var id="jdh17"></var></span></ins>
    <var id="jdh17"></var>
    <cite id="jdh17"><span id="jdh17"></span></cite>
    <var id="jdh17"></var>
    <thead id="jdh17"><strike id="jdh17"><listing id="jdh17"></listing></strike></thead>
    <cite id="jdh17"><video id="jdh17"><menuitem id="jdh17"></menuitem></video></cite>
    大古pc加拿大28预测开奖 北京pk计划 2011年3d试机号走势图 vr赛车体验 新时时论坛 福建时时几点开始 盛世福利彩票 急速赛车app vr3分彩有风险吗 广东时时11选5开奖结果走势图