ZF2016-02: Potential SQL injection in ORDER and GROUP statements of Zend_Db_Select
The implementation of
ORDER BY and
GROUP BY in
Zend_Db_Select of ZF1 is
vulnerable by the following SQL injection:
$db = Zend_Db::factory(/* options here */); $select = new Zend_Db_Select($db); $select->from('p'); $select->order("MD5(\"(\");DELETE FROM p2; #)"); // same with group()
$select will render the following SQL statement:
SELECT `p`.* FROM `p` ORDER BY MD5("");DELETE FROM p2; #) ASC
instead of the correct one:
SELECT `p`.* FROM `p` ORDER BY "MD5("""");DELETE FROM p2; #)" ASC
This security fix can be considered as an improvement of the previous ZF2014-04.
We fixed the reported SQL injection using two regular expressions for the
order() and the
Zend_Db_Select, created as the class constants
REGEX_COLUMN_EXPR_GROUP, respectively. These are defined as:
This regexp is different from the previous
REGEX_COLUMN_EXPR, which used the
[\w]*; we now require at least one word boundary (
The patch is available starting in Zend Framework 1.12.19.
This SQL injection attack does not affect Zend Framework 2 and 3 versions because the
not manage parenthetical expressions.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
- Peter O'Callaghan, who discovered and reported the issue;
- Enrico Zimuel, who provided the patch.