Date: Wed, 14 Sep 2016 08:32:03 +0200 From: Damien Regad <dregad@...tisbt.org> To: oss-security@...ts.openwall.com Subject: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection On 2016-09-07 19:30, Damien Regad wrote: > Greetings > > jdavidlists reported an issue  with ADOdb 5.x, qstr() method, > improperly quoting strings resulting in a potential SQL injection attack > vector. > > This affects only PDO-based drivers, and only in the case where the > query is built by inlining the quoted string, e.g. > > $strHack = 'xxxx\\\' OR 1 -- '; > $sql = "SELECT * FROM employees WHERE name = " . $db->qstr( $strHack ); > $rs = $db->getAll($strSQL); // dumps the whole table > > Note that it is not recommended to write SQL as per the above example, > the code should be rewritten to use query parameters, like > > $strHack = 'xxxx\\\' OR 1 -- '; > $sql = "SELECT * FROM employees WHERE name = ?" > $rs = $db->getAll($strSQL, array($strHack)); > > Please let me know if a CVE is needed for this. > > Patch for the issue is available , and will be included in upcoming > ADOdb v5.20.7 release. > > Best regards > Damien Regad > ADOdb maintainer > > >  https://github.com/ADOdb/ADOdb/issues/226 >  https://github.com/ADOdb/ADOdb/commit/bd9eca9 Should I assume from the silence that no CVE is required for this ? Thanks for your reply. Damien
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ