GHSA-65mj-7c86-79jf

Suggest an improvement
Source
https://github.com/advisories/GHSA-65mj-7c86-79jf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-65mj-7c86-79jf/GHSA-65mj-7c86-79jf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-65mj-7c86-79jf
Aliases
Published
2022-01-27T15:23:19Z
Modified
2023-11-08T04:06:27.757791Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Authentication Bypass in ADOdb/ADOdb
Details

Impact

An attacker can inject values into a PostgreSQL connection string by providing a parameter surrounded by single quotes.

Depending on how the library is used in the client software, this may allow an attacker to bypass the login process, gain access to the server's IP address, etc.

Patches

The vulnerability is fixed in ADOdb versions 5.20.21 (952de6c4273d9b1e91c2b838044f8c2111150c29) and 5.21.4 or later (b4d5ce70034c5aac3a1d51d317d93c037a0938d2).

The simplest patch is to delete line 29 in drivers/adodb-postgres64.inc.php:

diff --git a/drivers/adodb-postgres64.inc.php b/drivers/adodb-postgres64.inc.php
index d04b7f67..729d7141 100644
--- a/drivers/adodb-postgres64.inc.php
+++ b/drivers/adodb-postgres64.inc.php
@@ -26,7 +26,6 @@ function adodb_addslashes($s)
 {
    $len = strlen($s);
    if ($len == 0) return "''";
-   if (strncmp($s,"'",1) === 0 && substr($s,$len-1) == "'") return $s; // already quoted

    return "'".addslashes($s)."'";
 }

Workarounds

Ensure the parameters passed to ADOConnection::connect() or related functions (nConnect(), pConnect()) are not surrounded by single quotes.

Credits

Thanks to Emmet Leahy (@meme-lord) of Sorcery Ltd for reporting this vulnerability, and to the huntr team for their support.

References

  • Original issue report https://huntr.dev/bounties/bdf5f216-4499-4225-a737-b28bc6f5801c/
  • ADOdb reference issue #793

For more information

If you have any questions or comments about this advisory: * Add a note in issue #793 * Contact the maintainers on Gitter

Database specific 
{
    "nvd_published_at": "2022-01-25T15:15:00Z",
    "github_reviewed_at": "2022-01-24T22:39:29Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-287",
        "CWE-305"
    ]
}
References

Affected packages

Packagist / adodb/adodb-php

Package

Name
adodb/adodb-php
Purl
pkg:composer/adodb/adodb-php

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.20.21

Affected versions

v5.*

v5.19
v5.20.0
v5.20.1
v5.20.2
v5.20.3
v5.20.4
v5.20.5
v5.20.6
v5.20.7
v5.20.8
v5.20.9
v5.20.10
v5.20.11
v5.20.12
v5.20.13
v5.20.14
v5.20.15
v5.20.16
v5.20.17
v5.20.18
v5.20.19
v5.20.20

Database specific 

{
    "last_known_affected_version_range": "<= 5.20.20"
}

Packagist / adodb/adodb-php

Package

Name
adodb/adodb-php
Purl
pkg:composer/adodb/adodb-php

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.21.0
Fixed
5.21.4

Affected versions

v5.*

v5.21.0
v5.21.1
v5.21.2
v5.21.3

Database specific 

{
    "last_known_affected_version_range": "<= 5.21.3"
}