Search for vulnerabilities
| Vulnerability ID | VCID-c8kp-n8m3-2khe |
| Aliases |
GHSA-6fqw-j3vm-7f66
|
| Summary | Zendframework1 Potential SQL injection in ORDER and GROUP functions The implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone to SQL injection when a combination of SQL expressions and comments were used. This security patch provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur. The implementation of ORDER BY and GROUP BY in Zend_Db_Select of ZF1 is vulnerable by the following SQL injection: ``` $db = Zend_Db::factory(/* options here */); $select = new Zend_Db_Select($db); $select->from('p'); $select->order("MD5(\"a(\");DELETE FROM p2; #)"); // same with group() ``` The above $select will render the following SQL statement: ``` SELECT `p`.* FROM `p` ORDER BY MD5("a(");DELETE FROM p2; #) ASC ``` instead of the correct one: ``` SELECT "p".* FROM "p" ORDER BY "MD5(""a("");DELETE FROM p2; #)" ASC ``` This security fix can be considered an improvement of the previous ZF2016-02 and ZF2014-04 advisories. As a final consideration, we recommend developers either never use user input for these operations, or filter user input thoroughly prior to invoking Zend_Db. You can use the Zend_Db_Select::quoteInto() method to filter the input data, as shown in this example: ``` $db = Zend_Db::factory(...); $input = "MD5(\"a(\");DELETE FROM p2; #)"; // user input can be an attack $order = $db->quoteInto("SQL statement for ORDER", $input); $select = new Zend_Db_Select($db); $select->from('p'); $select->order($order); // same with group() ``` |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| cvssv3.1 | 9.8 | https://framework.zend.com/security/advisory/ZF2016-03 |
| generic_textual | CRITICAL | https://framework.zend.com/security/advisory/ZF2016-03 |
| cvssv3.1 | 9.8 | https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2016-03.yaml |
| generic_textual | CRITICAL | https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2016-03.yaml |
| cvssv3.1 | 9.8 | https://github.com/zendframework/zf1 |
| generic_textual | CRITICAL | https://github.com/zendframework/zf1 |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-04T16:21:54.945574+00:00 | GitLab Importer | Import | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/GHSA-6fqw-j3vm-7f66.yml | 38.6.0 |