propel/propel1 SQL injection possible with limit() on MySQL

2024-05-2017:36:28

CWE-89

GitHub Advisory Database

github.com

sql injection

propel

propel1

mysql

orm

limit method

8.5 High

AI Score

Confidence

Low

JSON

The limit() query method is susceptible to catastrophic SQL injection with MySQL.

For example, given a model User for a table users:

UserQuery::create()-&gt;limit('1;DROP TABLE users')-&gt;find();

This will drop the users table!

The cause appears to be a lack of integer casting of the limit input in either Criteria::setLimit() or in DBMySQL::applyLimit(). The code comments there seem to imply that casting was avoided due to overflow issues with 32-bit integers.

This is surprising behavior since one of the primary purposes of an ORM is to prevent basic SQL injection.

This affects all versions of Propel: 1.x, 2.x, and 3.

Affected configurations

Vulners

Node

propelpropel1Range≤1.7.1

CPENameOperatorVersion
propel/propel1le1.7.1

CPE	Name	Operator	Version
	propel/propel1	le	1.7.1

References

github.com/advisories/GHSA-7g7c-qhf3-x59p

github.com/FriendsOfPHP/security-advisories/blob/master/propel/propel1/2018-02-14.yaml

github.com/propelorm/Propel/commit/b72093201f8e225410f62a246653ac039e31c90a

github.com/propelorm/Propel/issues/1052

github.com/propelorm/Propel/pull/1054

8.5 High

AI Score

Confidence

Low

JSON