Miggo Logo

GHSA-7g7c-qhf3-x59p: propel/propel1 SQL injection possible with limit() on MySQL

9.8

CVSS Score
3.1

Basic Information

CVE ID
-
EPSS Score
-
Published
5/20/2024
Updated
5/20/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
propel/propel1composer>= 1, <= 1.7.11.7.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key functions: 1) Criteria::setLimit() lacked integer casting of input values, noted by the removed '32-bit issue' comment in the commit diff. 2) DBMySQL::applyLimit() directly concatenated user-controlled limit/offset values into SQL queries. The patch added explicit (int) casting in both locations, and test cases demonstrate how non-integer values (including SQL injection payloads) were previously passed through. These functions form the injection vector as they handle LIMIT clause construction without proper input validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** limit() qu*ry m*t*o* is sus**pti*l* to **t*strop*i* SQL inj**tion wit* MySQL. *or *x*mpl*, *iv*n * mo**l Us*r *or * t**l* us*rs: ``` Us*rQu*ry::*r**t*()->limit('*;*ROP T**L* us*rs')->*in*(); ``` T*is will *rop t** us*rs t**l*! T** **us* *pp**rs

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions: *) `*rit*ri*::s*tLimit()` l**k** int***r **stin* o* input v*lu*s, not** *y t** r*mov** '**-*it issu*' *omm*nt in t** *ommit *i**. *) `**MySQL::*pplyLimit()` *ir**tly *on**t*n*t** us*r-*ontroll** limit/o
GHSA-7g7c-qhf3-x59p: Propel limit() SQL Injection | Miggo