SQL Injection Affecting laravel/framework package, versions >=6.0.0, <6.20.11 >=7.0.0, <7.30.2 >=8.0.0, <8.22.1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-LARAVELFRAMEWORK-1060045
- published 14 Jan 2021
- disclosed 14 Jan 2021
- credit Charles Fol
How to fix?
Upgrade laravel/framework to version 6.20.11, 7.30.2, 8.22.1 or higher.
Overview
laravel/framework is a PHP framework for web artisans.
Affected versions of this package are vulnerable to SQL Injection. Laravel database query builder as part of its where and similar methods accepts two parameters - name of a column and a value which provided column should contain. Issue comes from the value parameter which accepts an array as possible input. When an array is added - laravel query builder takes all items from it and uses them in a given order as database binding parameters. Finally, when constructed query is executed it takes all provided binding parameters as is which leads to a possibility where items from an array value will be used as values for other parts of the query thus leaking of unintended data.
Example of a problematic query:
// HTTP Request Query: https://laravel.com/users?id[]=1&id[]=1
$id = Request::input('id');
User::where('id', $id)->where('is_admin', 0)->first();
// This could lead to a query where "is_admin" column is set to 1.