ZendFramework1 Potential SQL injection in the ORDER implementation of Zend_Db_Select

The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses.

For instance, the following code is affected by this issue:

$db     = Zend_Db::factory( /* options here */ );
$select = $db-&gt;select()
    -&gt;from(array(&#039;p&#039; =&gt; &#039;products&#039;))
    -&gt;order(&#039;MD5(1); drop table products&#039;);
echo $select;

This code produce the string:

SELECT &quot;p&quot;.* FROM &quot;products&quot; AS &quot;p&quot; ORDER BY MD5(1);drop table products ASC

instead of the correct one:

SELECT &quot;p&quot;.* FROM &quot;products&quot; AS &quot;p&quot; ORDER BY &quot;MD5(1);drop table products&quot; ASC

The SQL injection occurs because we create a new Zend_Db_Expr() object, in presence of parentheses, passing directly the value without any filter on the string.

Published: Jun 7, 2024
Updated: Jun 27, 2024
GHSA: GHSA-2x36-qhx3-7m5f
Severity: Critical
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
zendframework / zendframework1	1.12.0	1.12.7

Vulnerability Database

290,206

ZendFramework1 Potential SQL injection in the ORDER implementation of Zend_Db_Select