Date: Wed, 14 Sep 2016 08:32:03 +0200 From: Damien Regad <dregad@...tisbt.org> To: oss-security@...ts.openwall.com Subject: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection On 2016-09-07 19:30, Damien Regad wrote: > Greetings > > jdavidlists reported an issue  with ADOdb 5.x, qstr() method, > improperly quoting strings resulting in a potential SQL injection attack > vector. > > This affects only PDO-based drivers, and only in the case where the > query is built by inlining the quoted string, e.g. > > $strHack = 'xxxx\\\' OR 1 -- '; > $sql = "SELECT * FROM employees WHERE name = " . $db->qstr( $strHack ); > $rs = $db->getAll($strSQL); // dumps the whole table > > Note that it is not recommended to write SQL as per the above example, > the code should be rewritten to use query parameters, like > > $strHack = 'xxxx\\\' OR 1 -- '; > $sql = "SELECT * FROM employees WHERE name = ?" > $rs = $db->getAll($strSQL, array($strHack)); > > Please let me know if a CVE is needed for this. > > Patch for the issue is available , and will be included in upcoming > ADOdb v5.20.7 release. > > Best regards > Damien Regad > ADOdb maintainer > > >  https://github.com/ADOdb/ADOdb/issues/226 >  https://github.com/ADOdb/ADOdb/commit/bd9eca9 Should I assume from the silence that no CVE is required for this ? Thanks for your reply. Damien
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.