propel/propel1 SQL injection possible with limit() on MySQL
Critical severity
GitHub Reviewed
Published
May 20, 2024
to the GitHub Advisory Database
•
Updated May 20, 2024
Description
Published to the GitHub Advisory Database
May 20, 2024
Reviewed
May 20, 2024
Last updated
May 20, 2024
The limit() query method is susceptible to catastrophic SQL injection with MySQL.
For example, given a model User for a table users:
This will drop the users table!
The cause appears to be a lack of integer casting of the limit input in either Criteria::setLimit() or in DBMySQL::applyLimit(). The code comments there seem to imply that casting was avoided due to overflow issues with 32-bit integers.
This is surprising behavior since one of the primary purposes of an ORM is to prevent basic SQL injection.
This affects all versions of Propel: 1.x, 2.x, and 3.
References