9.8

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-7g7c-qhf3-x59p

EPSS Score

CWE

CWE-89

Published

5/20/2024

Updated

5/20/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-7g7c-qhf3-x59p

GHSA-7g7c-qhf3-x59p: propel/propel1 SQL injection possible with limit() on MySQL

The limit() query method is susceptible to catastrophic SQL injection with MySQL.

For example, given a model User for a table users:

UserQuery::create()->limit('1;DROP TABLE users')->find();

This will drop the users table!

The cause appears to be a lack of integer casting of the limit input in either Criteria::setLimit() or in DBMySQL::applyLimit(). The code comments there seem to imply that casting was avoided due to overflow issues with 32-bit integers.

This is surprising behavior since one of the primary purposes of an ORM is to prevent basic SQL injection.

This affects all versions of Propel: 1.x, 2.x, and 3.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-7g7c-qhf3-x59p

EPSS Score

CWE

CWE-89

Published

5/20/2024

Updated

5/20/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
propel/propel1	composer	>= 1, <= 1.7.1	1.7.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key functions: 1) Criteria::setLimit() lacked integer casting of input values, noted by the removed '32-bit issue' comment in the commit diff. 2) DBMySQL::applyLimit() directly concatenated user-controlled limit/offset values into SQL queries. The patch added explicit (int) casting in both locations, and test cases demonstrate how non-integer values (including SQL injection payloads) were previously passed through. These functions form the injection vector as they handle LIMIT clause construction without proper input validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** limit() qu*ry m*t*o* is sus**pti*l* to **t*strop*i* SQL inj**tion wit* MySQL. *or *x*mpl*, *iv*n * mo**l Us*r *or * t**l* us*rs: ``` Us*rQu*ry::*r**t*()->limit('*;*ROP T**L* us*rs')->*in*(); ``` T*is will *rop t** us*rs t**l*! T** **us* *pp**rs

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions: *) `*rit*ri*::s*tLimit()` l**k** int***r **stin* o* input v*lu*s, not** *y t** r*mov** '**-*it issu*' *omm*nt in t** *ommit *i**. *) `**MySQL::*pplyLimit()` *ir**tly *on**t*n*t** us*r-*ontroll** limit/o

9.8

Basic Information

Concerned about an active attack path?

GHSA-7g7c-qhf3-x59p: propel/propel1 SQL injection possible with limit() on MySQL

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI