PHP SQLite PDO Driver Integer Overflow Vulnerability Leading to SQL Injection

A vulnerability exists in the PHP SQLite PDO driver, specifically in PHP versions 8.0.* prior to 8.0.27, 8.1.* prior to 8.1.15, and 8.2.* prior to 8.2.2. The issue arises from an uncaught integer overflow in the PDO::quote() function, which is used to safely quote user-supplied data for SQLite. When an excessively long string is provided, the driver may fail to quote the data correctly. This improper quoting can create SQL injection vulnerabilities. The problem is exacerbated by recent versions of SQLite (3.39.2 and 3.39.4), which allow the exploitation of this flaw by manipulating the input string length.

Impact

Exploitation of this vulnerability can lead to SQL injection, allowing attackers to manipulate database queries and potentially execute arbitrary SQL commands.

Reproduction

The vulnerability can be reproduced by using the PDO::quote() function with an unrestrained string length on a 64-bit architecture. This can be done by creating a string that is approximately 2 billion characters long and passing it to the quote() function. The expected result is a properly quoted string or an error indication, but the actual result is an improperly quoted string containing just a single apostrophe.

Remediation

Users can upgrade to PHP versions 8.0.27, 8.1.15, or 8.2.2 to address this vulnerability.