Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 523198 - <dev-php/ZendFramework-1.12.9: SQL injection vector when manually quoting values for sqlsrv extension, using null byte (CVE-2014-8088)
Summary: <dev-php/ZendFramework-1.12.9: SQL injection vector when manually quoting val...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://framework.zend.com/security/ad...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-19 07:55 UTC by Agostino Sarubbo
Modified: 2015-03-18 21:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-09-19 07:55:02 UTC
From ${URL} :

The sqlsrv PHP extension, which provides the ability to connect to Microsoft SQL Server from PHP, does not provide a built-in quoting mechanism for manually quoting values to pass via SQL queries; developers are encouraged to use prepared statements. Zend 
Framework provides quoting mechanisms via Zend Framework 1's Zend_Db_Adapter_Sqlsrv and Zend Framework 2's Zend\Db\Adapter\Platform\SqlServer classes; these traditionally use the recommended "double single quote" ('') as quoting delimiters.

SQL Server treats null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.

Developers using the relevant PDO_Sqlsrv adapter in any version of Zend Framework are not vulnerable to this attack, as PDO provides a native quoting mechanism that prevents the attack vector.

Action Taken

When quoting values for SQL server, we now pass them to PHP's addcslashes function to sanitize and properly quote null bytes:

$value = addcslashes($value, "\000\032");
This action quotes null bytes, preventing SQL injection vectors.

The following releases contain the fixes:

Zend Framework 1.12.9
Zend Framework 2.2.8
Zend Framework 2.3.3
If you are using an affected version of PHP, and utilizing the sqlsrv PHP extensio within Zend Framework, we highly recommend upgrading immediately.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Brian Evans (RETIRED) gentoo-dev 2014-10-07 18:45:13 UTC
+*ZendFramework-1.12.9 (07 Oct 2014)
+
+  07 Oct 2014;  <grknight@gentoo.org> +ZendFramework-1.12.9.ebuild,
+  -ZendFramework-1.11.6.ebuild:
+  Version bump for wrt bug 448576 and security bugs 451060, 505276 and 523198

Should be OK to stable as it keeps backwards compatibility with the 1.11 series
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-10-15 05:09:59 UTC
Arches, please test and mark stable:

=dev-php/ZendFramework-1.12.9

Target Keywords : "amd64 hppa x86"
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 00:04:56 UTC
CVE-2014-8088 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8088):
  The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in
  Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to
  bypass authentication via a password starting with a null byte, which
  triggers an unauthenticated bind.
Comment 4 Brian Evans (RETIRED) gentoo-dev 2015-01-19 17:56:36 UTC
(In reply to Yury German from comment #2)
> Arches, please test and mark stable:
> 
> =dev-php/ZendFramework-1.12.9
> 
> Target Keywords : "amd64 hppa x86"

I believe blueknight meant to add arches.  Adding now
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-20 07:38:37 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2015-01-21 10:19:47 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-01-21 10:20:30 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Brian Evans (RETIRED) gentoo-dev 2015-01-21 21:23:12 UTC
Old version dropped
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-03-18 18:04:28 UTC
GLSA vote: no.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-03-18 21:50:24 UTC
GLSA Vote: No