Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03ZzdjLXFoZjMteDU5cM4AA8V0
propel/propel1 SQL injection possible with limit() on MySQL
The limit() query method is susceptible to catastrophic SQL injection with MySQL.
For example, given a model User for a table users:
UserQuery::create()->limit('1;DROP TABLE users')->find();
This will drop the users table!
The cause appears to be a lack of integer casting of the limit input in either Criteria::setLimit() or in DBMySQL::applyLimit(). The code comments there seem to imply that casting was avoided due to overflow issues with 32-bit integers.
This is surprising behavior since one of the primary purposes of an ORM is to prevent basic SQL injection.
This affects all versions of Propel: 1.x, 2.x, and 3.
Permalink: https://github.com/advisories/GHSA-7g7c-qhf3-x59pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03ZzdjLXFoZjMteDU5cM4AA8V0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-7g7c-qhf3-x59p
References:
- https://github.com/propelorm/Propel/issues/1052
- https://github.com/propelorm/Propel/pull/1054
- https://github.com/propelorm/Propel/commit/b72093201f8e225410f62a246653ac039e31c90a
- https://github.com/FriendsOfPHP/security-advisories/blob/master/propel/propel1/2018-02-14.yaml
- https://github.com/advisories/GHSA-7g7c-qhf3-x59p
Blast Radius: 28.1
Affected Packages
packagist:propel/propel1
Dependent packages: 118Dependent repositories: 739
Downloads: 1,502,765 total
Affected Version Ranges: >= 1, <= 1.7.1
Fixed in: 1.7.2
All affected versions: 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.7.0, 1.7.1
All unaffected versions: 1.7.2