oss-sec mailing list archives
Re: ADOdb PDO driver: incorrect quoting may allow SQL injection
From: Damien Regad <dregad () mantisbt org>
Date: Wed, 14 Sep 2016 08:32:03 +0200
On 2016-09-07 19:30, Damien Regad wrote:
Greetings jdavidlists reported an issue [1] with ADOdb 5.x, qstr() method, improperly quoting strings resulting in a potential SQL injection attack vector. This affects only PDO-based drivers, and only in the case where the query is built by inlining the quoted string, e.g. $strHack = 'xxxx\\\' OR 1 -- '; $sql = "SELECT * FROM employees WHERE name = " . $db->qstr( $strHack ); $rs = $db->getAll($strSQL); // dumps the whole table Note that it is not recommended to write SQL as per the above example, the code should be rewritten to use query parameters, like $strHack = 'xxxx\\\' OR 1 -- '; $sql = "SELECT * FROM employees WHERE name = ?" $rs = $db->getAll($strSQL, array($strHack)); Please let me know if a CVE is needed for this. Patch for the issue is available [2], and will be included in upcoming ADOdb v5.20.7 release. Best regards Damien Regad ADOdb maintainer [1] https://github.com/ADOdb/ADOdb/issues/226 [2] https://github.com/ADOdb/ADOdb/commit/bd9eca9
Should I assume from the silence that no CVE is required for this ? Thanks for your reply. Damien
Current thread:
- ADOdb PDO driver: incorrect quoting may allow SQL injection Damien Regad (Sep 07)
- Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Damien Regad (Sep 13)
- Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Andreas Stieger (Sep 14)
- Message not available
- Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Anonymous (Sep 14)
- Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Moritz Muehlenhoff (Sep 14)
- Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Kurt Seifried (Sep 14)
- Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Jeremy Stanley (Sep 14)
- Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Seth Arnold (Sep 14)
- Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Kurt Seifried (Sep 14)
- Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Damien Regad (Sep 13)
- Re: ADOdb PDO driver: incorrect quoting may allow SQL injection Damien Regad (Sep 15)