propel/propel1 SQL injection possible with limit() on MySQL

2024-05-2017:36:28

Google

osv.dev

sql injection

propel1

mysql

risk

security

orm

8.5 High

AI Score

Confidence

Low

JSON

The limit() query method is susceptible to catastrophic SQL injection with MySQL.

For example, given a model User for a table users:

UserQuery::create()-&gt;limit('1;DROP TABLE users')-&gt;find();

This will drop the users table!

The cause appears to be a lack of integer casting of the limit input in either Criteria::setLimit() or in DBMySQL::applyLimit(). The code comments there seem to imply that casting was avoided due to overflow issues with 32-bit integers.

This is surprising behavior since one of the primary purposes of an ORM is to prevent basic SQL injection.

This affects all versions of Propel: 1.x, 2.x, and 3.

CPENameOperatorVersion
propel/propel1eq1.6.3
propel/propel1eq1.6.2
propel/propel1eq1.7.0
propel/propel1eq1.6.4
propel/propel1eq1.6.6
propel/propel1eq1.6.8
propel/propel1eq1.6.7
propel/propel1eq1.6.9
propel/propel1eq1.6.5
propel/propel1eq1.7.1

Name	Operator	Version
propel/propel1	eq	1.6.3
propel/propel1	eq	1.6.2
propel/propel1	eq	1.7.0
propel/propel1	eq	1.6.4
propel/propel1	eq	1.6.6
propel/propel1	eq	1.6.8
propel/propel1	eq	1.6.7
propel/propel1	eq	1.6.9
propel/propel1	eq	1.6.5
propel/propel1	eq	1.7.1

References

github.com/FriendsOfPHP/security-advisories/blob/master/propel/propel1/2018-02-14.yaml

github.com/propelorm/Propel

github.com/propelorm/Propel/commit/b72093201f8e225410f62a246653ac039e31c90a

github.com/propelorm/Propel/issues/1052

github.com/propelorm/Propel/pull/1054

8.5 High

AI Score

Confidence

Low

JSON