oss-sec mailing list archives
ADOdb PDO driver: incorrect quoting may allow SQL injection
From: Damien Regad <dregad () mantisbt org>
Date: Wed, 07 Sep 2016 19:30:28 +0200
Greetings jdavidlists reported an issue [1] with ADOdb 5.x, qstr() method, improperly quoting strings resulting in a potential SQL injection attack vector. This affects only PDO-based drivers, and only in the case where the query is built by inlining the quoted string, e.g. $strHack = 'xxxx\\\' OR 1 -- '; $sql = "SELECT * FROM employees WHERE name = " . $db->qstr( $strHack ); $rs = $db->getAll($strSQL); // dumps the whole table Note that it is not recommended to write SQL as per the above example, the code should be rewritten to use query parameters, like $strHack = 'xxxx\\\' OR 1 -- '; $sql = "SELECT * FROM employees WHERE name = ?" $rs = $db->getAll($strSQL, array($strHack)); Please let me know if a CVE is needed for this. Patch for the issue is available [2], and will be included in upcoming ADOdb v5.20.7 release. Best regards Damien Regad ADOdb maintainer [1] https://github.com/ADOdb/ADOdb/issues/226 [2] https://github.com/ADOdb/ADOdb/commit/bd9eca9
Current thread:
- ADOdb PDO driver: incorrect quoting may allow SQL injection Damien Regad (Sep 07)
- Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Damien Regad (Sep 13)
- Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Andreas Stieger (Sep 14)
- Message not available
- Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Anonymous (Sep 14)
- Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Moritz Muehlenhoff (Sep 14)
- Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Kurt Seifried (Sep 14)
- Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Jeremy Stanley (Sep 14)
- Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Seth Arnold (Sep 14)
- Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Kurt Seifried (Sep 14)
- Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Damien Regad (Sep 13)
- Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Damien Regad (Sep 15)