Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 07 Sep 2016 19:30:28 +0200
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: ADOdb PDO driver: incorrect quoting may allow SQL injection

Greetings

jdavidlists reported an issue [1] with ADOdb 5.x, qstr() method,
improperly quoting strings resulting in a potential SQL injection attack
vector.

This affects only PDO-based drivers, and only in the case where the
query is built by inlining the quoted string, e.g.

$strHack = 'xxxx\\\' OR 1 -- ';
$sql = "SELECT * FROM employees WHERE name = " . $db->qstr( $strHack );
$rs = $db->getAll($strSQL); // dumps the whole table

Note that it is not recommended to write SQL as per the above example,
the code should be rewritten to use query parameters, like

$strHack = 'xxxx\\\' OR 1 -- ';
$sql = "SELECT * FROM employees WHERE name = ?"
$rs = $db->getAll($strSQL, array($strHack));

Please let me know if a CVE is needed for this.

Patch for the issue is available [2], and will be included in upcoming
ADOdb v5.20.7 release.

Best regards
Damien Regad
ADOdb maintainer


[1] https://github.com/ADOdb/ADOdb/issues/226
[2] https://github.com/ADOdb/ADOdb/commit/bd9eca9

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ