New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2016-7405: ADOdb qstr() method does not quote properly with PDO #226
Comments
|
Thanks for the report, will look into it |
|
Whilst I agree that the example you give with 9*7 is correct, and can be duplicated, I cannot extrapolate it with any valid SQL like you suggested. Here is the result of my test: include '/dev/github/v5.20.4/adodb.inc.php';
$db = ADOnewConnection('pdo');
$db->debug = true;
$database = 'employees';
$host = '127.0.0.1';
$user = 'root';
$password = 'password';
$db->connect('mysql:host=localhost;dbname=employees;charset=utf8mb4',$user,$password);
//$strHack = 'backslash\\\',9*7 -- ';
$strHack = 'backslash\\\'; DROP TABLE nothing';
$strSQL = "SELECT " . $db->qstr( $strHack );
echo $strSQL, "\n";
$x = $db->getAll( $strSQL );
var_dump( $x );And the result is: array(1) {
[0]=>
array(2) {
["backslash'"]=>
string(10) "backslash'"
[0]=>
string(10) "backslash'"
}
}It would appear that the addition of the ; symbol causes execute() to discard the trailing statement. @jdavidlists Could you check the syntax of my sample to ensure I have created this test correctly |
|
You may have an easier time constructing an example in the predicate of the "OR 1" variety. E.g. turning: into: with something like: (Not tested; I'm on vacation.) |
|
I confirm that, using @mnewnham's sample code above, I can dump the whole table That being said, the above query should really be written like this, which prevents any injection. |
The PDO driver was relying on ADOConnection::qstr() for quoting strings. An application relying on qstr() to manually prepare SQL statements rather than using parameterized queries may be vulnerable to SQL injection attacks, as demonstrated by @jdavidlists. This commit delegates string quoting to PDO::quote() when a connection is available. If not, it simply replaces single quotes by the value of $replaceQuote property. Fixes ADOdb#226
|
Proposed fix, see pull request #252 - override qstr() method in ADODB_pdo, that delegates quoting to underlying PDO object. |
The PDO driver was relying on ADOConnection::qstr() for quoting strings. An application relying on qstr() to manually prepare SQL statements rather than using parameterized queries may be vulnerable to SQL injection attacks, as demonstrated by @jdavidlists. This commit delegates string quoting to PDO::quote() when a connection is available. If not, it simply replaces single quotes by the value of $replaceQuote property. Fixes ADOdb#226
The PDO driver was relying on ADOConnection::qstr() for quoting strings. An application relying on qstr() to manually prepare SQL statements rather than using parameterized queries may be vulnerable to SQL injection attacks, as demonstrated by @jdavidlists. This commit delegates string quoting to PDO::quote() when a connection is available. If not, it simply replaces single quotes by the value of $replaceQuote property. Fixes #226
|
CVE assignment http://www.openwall.com/lists/oss-security/2016/09/15/1 |
In ADODB 5.20.4, using the PDO driver results in qstr not behaving properly, leading to SQL injection. The same method called with the MySQLi driver works as expected.
Example code:
Example results:
Note the unescaped backslash and different style of single-quote escaping in the ADODB PDO example.
This is an exploitable vulnerability:
Exploit code:
Exploit results:
(Substitute ",9*7" for "; DROP TABLE AllYourAccountingRecords;")
The text was updated successfully, but these errors were encountered: