Date: Wed, 07 Sep 2016 19:30:28 +0200 From: Damien Regad <dregad@...tisbt.org> To: oss-security@...ts.openwall.com Subject: ADOdb PDO driver: incorrect quoting may allow SQL injection Greetings jdavidlists reported an issue  with ADOdb 5.x, qstr() method, improperly quoting strings resulting in a potential SQL injection attack vector. This affects only PDO-based drivers, and only in the case where the query is built by inlining the quoted string, e.g. $strHack = 'xxxx\\\' OR 1 -- '; $sql = "SELECT * FROM employees WHERE name = " . $db->qstr( $strHack ); $rs = $db->getAll($strSQL); // dumps the whole table Note that it is not recommended to write SQL as per the above example, the code should be rewritten to use query parameters, like $strHack = 'xxxx\\\' OR 1 -- '; $sql = "SELECT * FROM employees WHERE name = ?" $rs = $db->getAll($strSQL, array($strHack)); Please let me know if a CVE is needed for this. Patch for the issue is available , and will be included in upcoming ADOdb v5.20.7 release. Best regards Damien Regad ADOdb maintainer  https://github.com/ADOdb/ADOdb/issues/226  https://github.com/ADOdb/ADOdb/commit/bd9eca9
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.