Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Zend Framework < 1.12.16 SQL Injection

High

Synopsis

The remote host is using a version of Zend Framework that is vulnerable to SQL Injection (SQLi).

Description

Versions of Zend Framework earlier than 1.12.16 contain a flaw that may allow an SQL injection attack. The issue is due to 'Zend_Db_Adapter_Pdo_Abstract' not properly sanitizing user-supplied input involving null bytes. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Solution

Upgrade Zend Framework to version 1.12.16 or later.