cbcvebase.
CVE-2011-1939
published 2019-11-26

CVE-2011-1939: SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.86%
88.8th percentile
SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6.

Affected

7 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
phpphp< 5.3.65.3.6
zendzend_framework>= 1.10.0 < 1.10.91.10.9
zendzend_framework>= 1.11.0 < 1.11.61.11.6
zendframework_phpphp
zendframework_phpzendframework
zendframework_phpzendframework

Detection & IOCsextracted from sources · hover to see the quote

command$dsn = 'mysql:dbname=INFORMATION_SCHEMA;host=127.0.0.1;charset=GBK'; $pdo = new PDO($dsn, $user, $pass); $pdo->exec('SET NAMES GBK'); $string = chr(0xbf) . chr(0x27) . ' OR 1 = 1; /*';
bytes
0xbf 0x27
  • Look for SQL injection attempts using multi-byte encoding bypass (e.g., GBK charset) in MySQL queries — specifically the byte sequence 0xBF27 (an invalid GBK sequence that collapses the following single-quote escape) appearing in query parameters or PDO-quoted strings.
  • Detect use of 'SET NAMES GBK' (or other non-ASCII-compatible encodings such as GBK) in MySQL sessions combined with PDO_MySql, as this is the prerequisite condition for the bypass to succeed.
  • Flag SQL queries targeting INFORMATION_SCHEMA.TABLES with suspicious LIKE clauses containing non-ASCII byte sequences, as the proof-of-concept exploit enumerates schema objects via this vector.
  • Vulnerable Zend Framework versions are 1.10.x before 1.10.9 and 1.11.x before 1.11.6; detect these versions in deployed application manifests or composer/package metadata.
  • ·The vulnerability is only exploitable when a non-ASCII-compatible encoding (such as GBK) is used — encodings like UTF-8 and latin1 are NOT affected.
  • ·The vulnerability requires PHP versions before 5.3.6 in addition to the vulnerable Zend Framework version; upgrading PHP to 5.3.6+ independently mitigates the issue.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.