Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 07 Sep 2016 19:30:28 +0200
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: ADOdb PDO driver: incorrect quoting may allow SQL injection

Greetings

jdavidlists reported an issue [1] with ADOdb 5.x, qstr() method,
improperly quoting strings resulting in a potential SQL injection attack
vector.

This affects only PDO-based drivers, and only in the case where the
query is built by inlining the quoted string, e.g.

$strHack = 'xxxx\\\' OR 1 -- ';
$sql = "SELECT * FROM employees WHERE name = " . $db->qstr( $strHack );
$rs = $db->getAll($strSQL); // dumps the whole table

Note that it is not recommended to write SQL as per the above example,
the code should be rewritten to use query parameters, like

$strHack = 'xxxx\\\' OR 1 -- ';
$sql = "SELECT * FROM employees WHERE name = ?"
$rs = $db->getAll($strSQL, array($strHack));

Please let me know if a CVE is needed for this.

Patch for the issue is available [2], and will be included in upcoming
ADOdb v5.20.7 release.

Best regards
Damien Regad
ADOdb maintainer


[1] https://github.com/ADOdb/ADOdb/issues/226
[2] https://github.com/ADOdb/ADOdb/commit/bd9eca9

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.