Описание
SQL injection in pdo_firebird via NUL bytes in quoted strings
Improper handling of NUL bytes during the preparation of Firebird SQL queries leads to sections of the of the query being dropped. NUL bytes can find their way into queries even under regular circumstances via PDO::quote().
A new query is constructed token-by-token. In the case of a ttString '\0', the string is copied via strncat() rather than memcpy(), stopping after the first ' quote and ignoring both the \0 and terminating ' quote. This will incorrectly embed the SQL tokens following the string into the string, allowing for trivial SQL injection if the next string is also attacker-controlled.
This incorrect preparation applies to SELECT, INSERT, UPDATE, DELETE, MERGE, WITH and EXECUTE statements.
Credits
Aleksey Solovev, Nikita Sveshnikov (Positive Technologies)
Пакеты
ext-pdo_firebird
< 8.2.31
8.2.31
ext-pdo_firebird
< 8.3.31
8.3.31
ext-pdo_firebird
< 8.4.21
8.4.21
ext-pdo_firebird
< 8.5.6
8.5.6
Связанные уязвимости
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before ...