ZF2016-02: Potential SQL injection in ORDER and GROUP statements of Zend_Db_Select

ZF2016-02: Potential SQL injection in ORDER and GROUP statements of Zend_Db_Select

The implementation of ORDER BY and GROUP BY in Zend_Db_Select of ZF1 is
vulnerable by the following SQL injection:

$db = Zend_Db::factory(/* options here */);
$select = new Zend_Db_Select($db);
$select->from('p');
$select->order("MD5("(");DELETE FROM p2; #)"); // same with group()

The above $select will render the following SQL statement:

SELECT `p`.* FROM `p` ORDER BY MD5("");DELETE FROM p2; #) ASC

instead of the correct one:

SELECT `p`.* FROM `p` ORDER BY "MD5("""");DELETE FROM p2; #)" ASC

This security fix can be considered as an improvement of the previous
ZF2014-04.

Action Taken

We fixed the reported SQL injection using two regular expressions for the order() and the group()
methods in Zend_Db_Select, created as the class constants REGEX_COLUMN_EXPR_ORDER and
REGEX_COLUMN_EXPR_GROUP, respectively. These are defined as:

/^([w]+s*(([^()]|(?1))*))$/

This regexp is different from the previous REGEX_COLUMN_EXPR, which used the
character patterm [w]*; we now require at least one word boundary ([w]+).

The patch is available starting in Zend Framework 1.12.19.

Other Information

This SQL injection attack does not affect Zend Framework 2 and 3 versions because the
implementations of ZendDbSqlSelect::order() and ZendDbSqlSelect::group() do
not manage parenthetical expressions.

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and
working with us to help protect its users:

  • Peter O’Callaghan, who discovered and reported the issue;
  • Enrico Zimuel, who provided the patch.

Source: Zend security feed