As a workaround until hotfix is released, we recommend all users to remove the whole ./tests directory; it is only used for development purposes and is not necessary for normal ADOdb operations.
Report description
[Reference Number]
JVN#48237713
[Title]
ADOdb vulnerable to cross-site scripting
[Reporter Related Information]
Anonymous (reporter information was not provided)
[Vulnerability Information]
This vulnerability was found by the reporter
Product Name: ADOdb
Version: 5.20.4
Language: PHP
Description:
Cross-site scripting
Reproduction Procedure:
Environment used:
OS: Windows 7
Middleware: Most recent version of xampp
Place the most recent version of xampp at c:\xampp
Place ADOdb at C:\xampp\htdocs\AUDIT\adodb5
Using Chrome with the XSS filter turned off, access
This issue was reported by JPCERT Coordination Center (JPCERT/CC) with
reference JVN#48237713.
The root cause is a foreach loop processing all GET parameters and
blindly assigning them to variables, allowing an attacker to
replace contents of global variables.
This limits variable processing using a regex matching those used in
testdatabases.inc.php (i.e. beginning with 'test' or 'no').
Fixes#274
JPCERT Coordination Center (JPCERT/CC) reported the following vulnerability in ADOdb.
As a workaround until hotfix is released, we recommend all users to remove the whole
./testsdirectory; it is only used for development purposes and is not necessary for normal ADOdb operations.Report description
[Reference Number]
JVN#48237713
[Title]
[Reporter Related Information]
[Vulnerability Information]
Version: 5.20.4
Language: PHP
Cross-site scripting
Environment used:
OS: Windows 7
Middleware: Most recent version of xampp
Place the most recent version of xampp at
c:\xamppPlace ADOdb at
C:\xampp\htdocs\AUDIT\adodb5Using Chrome with the XSS filter turned off, access
to reproduce the vulnerability. Here an alert dialog will appear.
[Possible Impacts]
[Possible Workarounds]
[Proof-of-Concept Code]
[Other Information]
[Report Validation and Comments from IPA]
[Comments from JPCERT/CC]
The text was updated successfully, but these errors were encountered: