Search for packages
| purl | pkg:composer/zendframework/zendframework1@1.12.16 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2xx4-77e9-pfbb
Aliases: ZF2016-02 |
Potential SQL injection The implementation of `ORDER BY` and `GROUP BY` in `Zend_Db_Select` of ZF1 is vulnerable by the following SQL injection. |
Affected by 2 other vulnerabilities. |
|
VCID-8atm-865q-mkf3
Aliases: ZF2015-09 |
Potential Information Disclosure and Insufficient Entropy vulnerability in `Zend\Captcha\Word`. |
Affected by 7 other vulnerabilities. |
|
VCID-b1da-n1u7-43hj
Aliases: GHSA-8xhv-gqm4-3w99 |
ZendFramework1 Potential Insufficient Entropy Vulnerability We discovered several methods used to generate random numbers in ZF1 that potentially used insufficient entropy. These random number generators are used in the following method calls: ``` Zend_Ldap_Attribute::createPassword Zend_Form_Element_Hash::_generateHash Zend_Gdata_HttpClient::filterHttpRequest Zend_Filter_Encrypt_Mcrypt::_srand Zend_OpenId::randomBytes ``` In each case, the methods were using rand() or mt_rand(), neither of which can generate cryptographically secure values. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. Moreover, we discovered a potential security issue in the usage of the [openssl_random_pseudo_bytes()](http://php.net/manual/en/function.openssl-random-pseudo-bytes.php) function in Zend_Crypt_Math::randBytes, reported in PHP BUG [#70014](https://bugs.php.net/bug.php?id=70014), and the security implications reported in a discussion [on the random_compat library.](https://github.com/paragonie/random_compat/issues/96) |
Affected by 4 other vulnerabilities. |
|
VCID-bjvu-jg9w-mqdd
Aliases: CVE-2016-6233 GHSA-p9hp-3gpv-52w3 |
SQL Injection The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern `[\w]*` in a regular expression. |
Affected by 2 other vulnerabilities. |
|
VCID-c8kp-n8m3-2khe
Aliases: GHSA-6fqw-j3vm-7f66 |
Zendframework1 Potential SQL injection in ORDER and GROUP functions The implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone to SQL injection when a combination of SQL expressions and comments were used. This security patch provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur. The implementation of ORDER BY and GROUP BY in Zend_Db_Select of ZF1 is vulnerable by the following SQL injection: ``` $db = Zend_Db::factory(/* options here */); $select = new Zend_Db_Select($db); $select->from('p'); $select->order("MD5(\"a(\");DELETE FROM p2; #)"); // same with group() ``` The above $select will render the following SQL statement: ``` SELECT `p`.* FROM `p` ORDER BY MD5("a(");DELETE FROM p2; #) ASC ``` instead of the correct one: ``` SELECT "p".* FROM "p" ORDER BY "MD5(""a("");DELETE FROM p2; #)" ASC ``` This security fix can be considered an improvement of the previous ZF2016-02 and ZF2014-04 advisories. As a final consideration, we recommend developers either never use user input for these operations, or filter user input thoroughly prior to invoking Zend_Db. You can use the Zend_Db_Select::quoteInto() method to filter the input data, as shown in this example: ``` $db = Zend_Db::factory(...); $input = "MD5(\"a(\");DELETE FROM p2; #)"; // user input can be an attack $order = $db->quoteInto("SQL statement for ORDER", $input); $select = new Zend_Db_Select($db); $select->from('p'); $select->order($order); // same with group() ``` |
Affected by 0 other vulnerabilities. |
|
VCID-h5yf-ahec-gbgx
Aliases: GHSA-848f-mph5-9pm9 |
Zendframework Potential Information Disclosure and Insufficient Entropy vulnerability In Zend Framework, Zend_Captcha_Word (v1) and Zend\Captcha\Word (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. |
Affected by 7 other vulnerabilities. |
|
VCID-n2gy-93nd-gber
Aliases: ZF2016-01 |
Potential Insufficient Entropy Vulnerability in ZF1. |
Affected by 4 other vulnerabilities. |
|
VCID-q73m-16a9-rkgx
Aliases: GMS-2015-49 |
Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation. |
Affected by 7 other vulnerabilities. |
|
VCID-rc3w-5r97-k3b3
Aliases: ZF2016-03 |
Potential SQL injection in ORDER and GROUP functions The implementation of ORDER BY and GROUP BY in `Zend_Db_Select` is prone to SQL injection when a combination of SQL expressions and comments are used. |
Affected by 0 other vulnerabilities. |
|
VCID-sjw9-2fwe-5ybg
Aliases: ZF2016-11 |
Potential Insufficient Entropy There are several methods used to generate random numbers in ZF1 that potentially used insufficient entropy. Moreover, there's a potential security issue in the usage of the `openssl_random_pseudo_bytes()` function in `Zend_Crypt_Math::randBytes`, reported in PHP BUG #70014, and the security implications reported in a discussion on the `random_compat` library. |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2ncq-wptr-k3ha | SQL Injection Potential SQL injection vector using null byte for PDO (MsSql, SQLite). |
ZF2015-08
|
| VCID-ps73-776n-zffn | Zendframework1 potential SQL injection vector using null byte for PDO (MsSql, SQLite) The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection. We tested and verified the null byte injection using pdo_dblib (FreeTDS) on a Linux environment to access a remote Microsoft SQL Server, and also tested against and noted the vector against pdo_sqlite. |
GHSA-v42g-7q2x-cw32
|
| VCID-q74z-645k-c7dk | Security Misconfiguration Vulnerability Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of |
CVE-2015-5723
GHSA-pw5c-xqf2-6xc2 |
| VCID-uvgx-4m6v-2bg7 | SQL injection vector using null byte for PDO The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection. This only impacts MsSql and SQLite adapters. |
CVE-2015-7695
GHSA-2hvh-c5c2-vj85 |