GHSA-7vw7-qx38-37vr: 
PHP vulnerability analysis and mitigation

A critical SQL injection vulnerability was discovered in Propel2 (GHSA-7vw7-qx38-37vr) affecting versions 2.0.0-alpha1 through 2.0.0-alpha7. The vulnerability exists in the limit() query method when used with MySQL, where unvalidated input could lead to SQL injection. The issue was discovered and reported on February 14, 2018, and was patched in version 2.0.0-alpha8 (GitHub Advisory).

The vulnerability stems from a lack of integer casting of the limit input in either Propel\Runtime\ActiveQuery\Criteria::setLimit() or in Propel\Runtime\ActiveQuery\Adapter\Pdo\MysqlAdapter::applyLimit(). When constructing a MySQL LIMIT clause, the values for offset and limit were not properly coerced to integers, allowing arbitrary SQL injection. The vulnerability has a CVSS v3.1 score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

The vulnerability allows attackers to perform SQL injection attacks through the limit() query method. For example, an attacker could execute malicious SQL commands such as dropping tables by passing specially crafted input to the limit() function. A proof of concept demonstrated that using UserQuery::create()->limit('1;DROP TABLE users')->find() would successfully inject and execute the DROP TABLE command (GitHub Issue).

The vulnerability was fixed by implementing integer coercion for offset and limit values in the MySQL LIMIT clause. The fix was implemented in version 2.0.0-alpha8, and users are advised to upgrade to this version or later. The patch ensures that all limit inputs are properly cast to integers before being used in SQL queries (GitHub PR).