Headline

GHSA-7vw7-qx38-37vr: Propel2 SQL injection possible with limit() on MySQL

The limit() query method is susceptible to catastrophic SQL injection with MySQL.

For example, given a model User for a table users:

UserQuery::create()->limit('1;DROP TABLE users')->find();

This will drop the users table!

The cause appears to be a lack of integer casting of the limit input in either Propel\Runtime\ActiveQuery\Criteria::setLimit() or in Propel\Runtime\Adapter\Pdo\MysqlAdapter::applyLimit(). The code comments there seem to imply that casting was avoided due to overflow issues with 32-bit integers.

This is surprising behavior since one of the primary purposes of an ORM is to prevent basic SQL injection.

This affects all versions of Propel: 1.x, 2.x, and 3.

6 months ago

ghsa

Open in Source

#sql #git #php

GitHub Advisory Database
GitHub Reviewed
GHSA-7vw7-qx38-37vr

Propel2 SQL injection possible with limit() on MySQL

Critical severity GitHub Reviewed Published May 20, 2024 to the GitHub Advisory Database • Updated May 20, 2024

Package

composer propel/propel (Composer)

Affected versions

>= 2.0.0-alpha1, <= 2.0.0-alpha7

Patched versions

2.0.0-alpha8

The limit() query method is susceptible to catastrophic SQL injection with MySQL.

For example, given a model User for a table users:

UserQuery::create()->limit('1;DROP TABLE users')->find();

This will drop the users table!

This is surprising behavior since one of the primary purposes of an ORM is to prevent basic SQL injection.

This affects all versions of Propel: 1.x, 2.x, and 3.

References

propelorm/Propel2#1463
propelorm/Propel2#1464
propelorm/Propel2@cd23d73
https://github.com/FriendsOfPHP/security-advisories/blob/master/propel/propel/2018-02-14.yaml

Published to the GitHub Advisory Database

May 20, 2024

Last updated

May 20, 2024