Advisories ยป MGASA-2014-0434

Updated php-ZendFramework packages fix security vulnerabilities

Publication date: 29 Oct 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-8088 , CVE-2014-8089


Due to a bug in PHP's LDAP extension, when ZendFramework's Zend_ldap class is
used for logins, an attacker can login as any user by using a null byte to
bypass the empty password check and perform an unauthenticated LDAP bind

The sqlsrv PHP extension, which provides the ability to connect to Microsoft
SQL Server from PHP, does not provide a built-in quoting mechanism for
manually quoting values to pass via SQL queries; developers are encouraged to
use prepared statements. Zend Framework provides quoting mechanisms via
Zend_Db_Adapter_Sqlsrv which uses the recommended "double single quote" ('')
as quoting delimiters. SQL Server treats null bytes in a query as a string
terminator, allowing an attacker to add arbitrary SQL following a null byte,
and thus create a SQL injection (CVE-2014-8089).