Cphalcon: ORM - Using limit with a negative number throws a MYSQL error

Created on 22 Nov 2016  路  4Comments  路  Source: phalcon/cphalcon

Expected

Calling ->limit($value) on a Query should parse all input to be a non negative number.

Actual Behavior

A user attempted a MYSQL injection where a limit value was passed to the API, the value passed was

Encoded:
limit=%3CMETA%20HTTP-EQUIV%3D%22refresh%22%20CONT ENT%3D
%220%3Burl%3Djavascript%3Aqss%3D7%22%3E

Decoded:

limit=<META HTTP-EQUIV="refresh" CONT ENT= "0;url=javascript:qss=7">

$query = SomeModel::query();   
//removed in between code
$query->limit($limit);

and the ORM treated LIMIT input as an intval so it stripped all characters except numbers and negatives which then returned "-07"

MYSQL limit does not accept negative numbers, so throws and error, and Phalcon outputs the full query to the user which then exposes more details to the user attempting to sql inject.

Response:
Syntax error, unexpected token -, near to '07', when parsing: SELECT .....

#0 [internal function]: Phalcon\Mvc\Model\Query->parse()
#1 [internal function]: Phalcon\Mvc\Model\Query->execute(Array, NULL)
#2 [internal function]: Phalcon\Mvc\Model::find(Array)
#3 ...... : Phalcon\Mvc\Model\Criteria->execute()
#4 [internal function]: {closure}()
#5 ..../index.php(19): Phalcon\Mvc\Micro->handle()
#6 {main}

Details

  • Phalcon version:
    Version => 3.0.1
    Build Date => Aug 24 2016 11:18:13

  • PHP Version: (php -v)
    PHP 5.6.15

  • Operating System:
    Windows, Ubuntu, Centos

  • Installation type:
    DLL in windows, apt-get in Ubuntu etc..

  • Zephir version (if any):
    Version 0.9.4a-dev-7e304ba18c

  • Server:
    Nginx and Apache

bug medium
Source
picture jesusfreak3

Most helpful comment

use Phalcon\Db\Adapter\Pdo\Mysql as DbAdapter;
use Phalcon\DI\FactoryDefault;
use Phalcon\Mvc\Application;

$di = new FactoryDefault();

$di->set('db', function () {
    return new DbAdapter([
        'host' => "127.0.0.1",
        'username' => "root",
        'password' => "123456",
        'dbname' => "koko",
        "options" => [
            \PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8',
            \PDO::ATTR_EMULATE_PREPARES => false,
            \PDO::ATTR_DEFAULT_FETCH_MODE => \PDO::FETCH_ASSOC,
            \PDO::ATTR_STRINGIFY_FETCHES => false
        ]
    ]);
});

class koko extends \Phalcon\Mvc\Model {

    public function initialize()
    {
        $this->setSource("Persons");
    }
}

$application = new Application($di);


$query = koko::query();
//removed in between code
$query->limit(-7);
//$query->limit('<META HTTP-EQUIV="refresh" CONT ENT= "0;url=javascript:qss=7">');
//$query->limit("%3CMETA%20HTTP-EQUIV%3D%22refresh%22%20CONT ENT%3D%220%3Burl%3Djavascript%3Aqss%3D7%22%3E");

$a = $query->execute();

echo "<pre>";
var_dump($a->toArray()); //prints all my db results
echo "</pre>";
exit;

php 7 0 13
mysql 5 7 16

maybe we can tune a little bit here https://github.com/phalcon/cphalcon/blob/master/phalcon/mvc/model/criteria.zep#L512

and here https://github.com/phalcon/cphalcon/blob/master/phalcon/mvc/model/query/builder.zep#L941

to change var to int and offset only if limit is present stuff like that

what do you think @sergeyklay

picture Izopi4a on 6 Dec 2016
👍2

All 4 comments

Thank for reporting. I'll fix it asap

sergeyklay picture sergeyklay on 22 Nov 2016
👍1

NP, and thanks for the quick reply!

jesusfreak3 picture jesusfreak3 on 22 Nov 2016 
use Phalcon\Db\Adapter\Pdo\Mysql as DbAdapter;
use Phalcon\DI\FactoryDefault;
use Phalcon\Mvc\Application;

$di = new FactoryDefault();

$di->set('db', function () {
    return new DbAdapter([
        'host' => "127.0.0.1",
        'username' => "root",
        'password' => "123456",
        'dbname' => "koko",
        "options" => [
            \PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8',
            \PDO::ATTR_EMULATE_PREPARES => false,
            \PDO::ATTR_DEFAULT_FETCH_MODE => \PDO::FETCH_ASSOC,
            \PDO::ATTR_STRINGIFY_FETCHES => false
        ]
    ]);
});

class koko extends \Phalcon\Mvc\Model {

    public function initialize()
    {
        $this->setSource("Persons");
    }
}

$application = new Application($di);


$query = koko::query();
//removed in between code
$query->limit(-7);
//$query->limit('<META HTTP-EQUIV="refresh" CONT ENT= "0;url=javascript:qss=7">');
//$query->limit("%3CMETA%20HTTP-EQUIV%3D%22refresh%22%20CONT ENT%3D%220%3Burl%3Djavascript%3Aqss%3D7%22%3E");

$a = $query->execute();

echo "<pre>";
var_dump($a->toArray()); //prints all my db results
echo "</pre>";
exit;

php 7 0 13
mysql 5 7 16

maybe we can tune a little bit here https://github.com/phalcon/cphalcon/blob/master/phalcon/mvc/model/criteria.zep#L512

and here https://github.com/phalcon/cphalcon/blob/master/phalcon/mvc/model/query/builder.zep#L941

to change var to int and offset only if limit is present stuff like that

what do you think @sergeyklay

Izopi4a picture Izopi4a on 6 Dec 2016
👍2

Fixed in the 3.0.x branch.

sergeyklay picture sergeyklay on 18 Dec 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

TimurFlush picture TimurFlush  路  3Comments
borisdelev picture borisdelev  路  3Comments
bestirani2 picture bestirani2  路  3Comments
richmilns picture richmilns  路  3Comments
linxlad picture linxlad  路  3Comments