CVE-2011-1939
published 2019-11-26CVE-2011-1939: SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.86%
88.8th percentile
SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| php | php | < 5.3.6 | 5.3.6 |
| zend | zend_framework | >= 1.10.0 < 1.10.9 | 1.10.9 |
| zend | zend_framework | >= 1.11.0 < 1.11.6 | 1.11.6 |
| zendframework_php | php | — | — |
| zendframework_php | zendframework | — | — |
| zendframework_php | zendframework | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command$dsn = 'mysql:dbname=INFORMATION_SCHEMA;host=127.0.0.1;charset=GBK'; $pdo = new PDO($dsn, $user, $pass); $pdo->exec('SET NAMES GBK'); $string = chr(0xbf) . chr(0x27) . ' OR 1 = 1; /*';↗
bytes↗
0xbf 0x27
- →Look for SQL injection attempts using multi-byte encoding bypass (e.g., GBK charset) in MySQL queries — specifically the byte sequence 0xBF27 (an invalid GBK sequence that collapses the following single-quote escape) appearing in query parameters or PDO-quoted strings. ↗
- →Detect use of 'SET NAMES GBK' (or other non-ASCII-compatible encodings such as GBK) in MySQL sessions combined with PDO_MySql, as this is the prerequisite condition for the bypass to succeed. ↗
- →Flag SQL queries targeting INFORMATION_SCHEMA.TABLES with suspicious LIKE clauses containing non-ASCII byte sequences, as the proof-of-concept exploit enumerates schema objects via this vector. ↗
- →Vulnerable Zend Framework versions are 1.10.x before 1.10.9 and 1.11.x before 1.11.6; detect these versions in deployed application manifests or composer/package metadata. ↗
- ·The vulnerability is only exploitable when a non-ASCII-compatible encoding (such as GBK) is used — encodings like UTF-8 and latin1 are NOT affected. ↗
- ·The vulnerability requires PHP versions before 5.3.6 in addition to the vulnerable Zend Framework version; upgrading PHP to 5.3.6+ independently mitigates the issue. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
http://security.gentoo.org/glsa/glsa-201408-01.xmlhttp://www.securityfocus.com/bid/47919https://access.redhat.com/security/cve/cve-2011-1939https://bugs.php.net/bug.php?id=47802https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1939https://framework.zend.com/security/advisory/ZF2011-02https://security-tracker.debian.org/tracker/CVE-2011-1939http://security.gentoo.org/glsa/glsa-201408-01.xmlhttp://www.securityfocus.com/bid/47919https://access.redhat.com/security/cve/cve-2011-1939https://bugs.php.net/bug.php?id=47802https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1939https://framework.zend.com/security/advisory/ZF2011-02https://security-tracker.debian.org/tracker/CVE-2011-1939
2019-11-26
Published