Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 14 Sep 2016 08:32:03 +0200
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection

On 2016-09-07 19:30, Damien Regad wrote:
> Greetings
> 
> jdavidlists reported an issue [1] with ADOdb 5.x, qstr() method,
> improperly quoting strings resulting in a potential SQL injection attack
> vector.
> 
> This affects only PDO-based drivers, and only in the case where the
> query is built by inlining the quoted string, e.g.
> 
> $strHack = 'xxxx\\\' OR 1 -- ';
> $sql = "SELECT * FROM employees WHERE name = " . $db->qstr( $strHack );
> $rs = $db->getAll($strSQL); // dumps the whole table
> 
> Note that it is not recommended to write SQL as per the above example,
> the code should be rewritten to use query parameters, like
> 
> $strHack = 'xxxx\\\' OR 1 -- ';
> $sql = "SELECT * FROM employees WHERE name = ?"
> $rs = $db->getAll($strSQL, array($strHack));
> 
> Please let me know if a CVE is needed for this.
> 
> Patch for the issue is available [2], and will be included in upcoming
> ADOdb v5.20.7 release.
> 
> Best regards
> Damien Regad
> ADOdb maintainer
> 
> 
> [1] https://github.com/ADOdb/ADOdb/issues/226
> [2] https://github.com/ADOdb/ADOdb/commit/bd9eca9

Should I assume from the silence that no CVE is required for this ?

Thanks for your reply.
Damien




Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ