Zendframework1 potential SQL injection vector using null byte for PDO (MsSql, SQLite)

The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.

We tested and verified the null byte injection using pdo_dblib (FreeTDS) on a Linux environment to access a remote Microsoft SQL Server, and also tested against and noted the vector against pdo_sqlite.

Published: Jun 7, 2024
Updated: Jun 27, 2024
GHSA: GHSA-v42g-7q2x-cw32
Severity: Critical
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
zendframework / zendframework1	1.12.0	1.12.16

https://framework.zend.com/security/advisory/ZF2015-08
https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2015-08.yaml

Vulnerability Database

290,206

Zendframework1 potential SQL injection vector using null byte for PDO (MsSql, SQLite)