Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Zend Framework < 1.12.7 SQL Injection

High

Synopsis

The remote host is using a version of Zend Framework that is vulnerable to SQL Injection (SQLi).

Description

Versions of Zend Framework earlier than 1.12.7 contain a flaw that may allow an SQL injection attack. The issue is due to the 'Zend_Db_Select::order()' function not properly sanitizing user-supplied input before using it in SQL queries. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Solution

Upgrade Zend Framework to version 1.12.7 or later.