CVE-2014-8089: 
PHP vulnerability analysis and mitigation

SQL injection vulnerability identified as CVE-2014-8089 affects Zend Framework versions before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3. The vulnerability was discovered in September 2014 and specifically impacts installations using the sqlsrv PHP extension (Zend Advisory).

The vulnerability exists in the SQL Server adapter's quoting mechanism. When using the sqlsrv PHP extension, SQL Server treats null bytes in a query as a string terminator. The affected components are Zend Framework 1's Zend_Db_Adapter_Sqlsrv and Zend Framework 2's Zend\Db\Adapter\Platform\SqlServer classes. The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical) and CVSS v2.0 score of 7.5 (High) (NVD).

The vulnerability allows remote attackers to execute arbitrary SQL commands via a null byte, potentially leading to unauthorized database access and manipulation. Notably, developers using the PDO_Sqlsrv adapter are not vulnerable to this attack, as PDO provides a native quoting mechanism that prevents the attack vector (Zend Advisory).

The issue has been fixed in Zend Framework versions 1.12.9, 2.2.8, and 2.3.3. The fix involves passing values to PHP's addcslashes function to sanitize and properly quote null bytes using the command: $value = addcslashes($value, "\000\032"). Organizations using affected versions are strongly recommended to upgrade immediately (Zend Advisory).