Joined: 12 May 2004
|Posted: Mon Feb 06, 2006 7:26 pm Post subject: [ GLSA 200602-02 ] ADOdb: PostgresSQL command injection
|Gentoo Linux Security Advisory
Title: ADOdb: PostgresSQL command injection (GLSA 200602-02)
Date: February 06, 2006
ADOdb is vulnerable to SQL injections if used in conjunction with a PostgreSQL database.
ADOdb is an abstraction library for PHP creating a common API for a wide range of database backends.
Vulnerable: < 4.71
Unaffected: >= 4.71
Architectures: All supported architectures
Andy Staudacher discovered that ADOdb does not properly sanitize all parameters.
By sending specifically crafted requests to an application that uses ADOdb and a PostgreSQL backend, an attacker might exploit the flaw to execute arbitrary SQL queries on the host.
There is no known workaround at this time.
All ADOdb users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/adodb-4.71"
Last edited by GLSA on Sun May 07, 2006 5:00 pm; edited 1 time in total