ZendFramework1 -- SQL injection vulnerability

ID D3324FDB-6BF0-11E5-BC5E-00505699053E
Type freebsd
Reporter FreeBSD
Modified 2015-10-12T00:00:00


Zend Framework developers report:

The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.