PHP PDO Firebird Driver SQL Injection Vulnerability via NUL Byte Handling

A SQL injection vulnerability has been identified in the PHP PDO Firebird driver, affecting PHP versions 8.2.* prior to 8.2.31, 8.3.* prior to 8.3.31, 8.4.* prior to 8.4.21, and 8.5.* prior to 8.5.6. The issue arises from the driver's improper management of NUL bytes when preparing SQL queries. During the query construction process, a string token with a NUL byte is concatenated using strncat(), which halts at the NUL byte, omitting the closing quote and causing subsequent SQL tokens to be misinterpreted as part of the string. This flaw allows for SQL injection when attacker-controlled values are quoted using PDO::quote() and incorporated into SQL statements.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to execute arbitrary SQL code, potentially leading to unauthorized data access or modification.

Reproduction

To reproduce this vulnerability, first insert a NUL byte into a string parameter using the PDO::quote() method. Then, create a SQL query that includes this parameter. The PDO Firebird driver will improperly handle the NUL byte, dropping the closing quote and misinterpreting the query, which can be exploited to inject malicious SQL payloads.

Remediation

Users can upgrade to PHP versions 8.2.31, 8.3.31, 8.4.21, or 8.5.6 to address this vulnerability.