Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <nraqt1$a2m$1@blaine.gmane.org>
Date: Wed, 14 Sep 2016 08:32:03 +0200
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection

On 2016-09-07 19:30, Damien Regad wrote:
> Greetings
> 
> jdavidlists reported an issue [1] with ADOdb 5.x, qstr() method,
> improperly quoting strings resulting in a potential SQL injection attack
> vector.
> 
> This affects only PDO-based drivers, and only in the case where the
> query is built by inlining the quoted string, e.g.
> 
> $strHack = 'xxxx\\\' OR 1 -- ';
> $sql = "SELECT * FROM employees WHERE name = " . $db->qstr( $strHack );
> $rs = $db->getAll($strSQL); // dumps the whole table
> 
> Note that it is not recommended to write SQL as per the above example,
> the code should be rewritten to use query parameters, like
> 
> $strHack = 'xxxx\\\' OR 1 -- ';
> $sql = "SELECT * FROM employees WHERE name = ?"
> $rs = $db->getAll($strSQL, array($strHack));
> 
> Please let me know if a CVE is needed for this.
> 
> Patch for the issue is available [2], and will be included in upcoming
> ADOdb v5.20.7 release.
> 
> Best regards
> Damien Regad
> ADOdb maintainer
> 
> 
> [1] https://github.com/ADOdb/ADOdb/issues/226
> [2] https://github.com/ADOdb/ADOdb/commit/bd9eca9

Should I assume from the silence that no CVE is required for this ?

Thanks for your reply.
Damien

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.