Date: Wed, 07 Sep 2016 19:30:28 +0200 From: Damien Regad <dregad@...tisbt.org> To: oss-security@...ts.openwall.com Subject: ADOdb PDO driver: incorrect quoting may allow SQL injection Greetings jdavidlists reported an issue  with ADOdb 5.x, qstr() method, improperly quoting strings resulting in a potential SQL injection attack vector. This affects only PDO-based drivers, and only in the case where the query is built by inlining the quoted string, e.g. $strHack = 'xxxx\\\' OR 1 -- '; $sql = "SELECT * FROM employees WHERE name = " . $db->qstr( $strHack ); $rs = $db->getAll($strSQL); // dumps the whole table Note that it is not recommended to write SQL as per the above example, the code should be rewritten to use query parameters, like $strHack = 'xxxx\\\' OR 1 -- '; $sql = "SELECT * FROM employees WHERE name = ?" $rs = $db->getAll($strSQL, array($strHack)); Please let me know if a CVE is needed for this. Patch for the issue is available , and will be included in upcoming ADOdb v5.20.7 release. Best regards Damien Regad ADOdb maintainer  https://github.com/ADOdb/ADOdb/issues/226  https://github.com/ADOdb/ADOdb/commit/bd9eca9
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ