Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02NW1qLTdjODYtNzlqZs0mAA
Authentication Bypass in ADOdb/ADOdb
Impact
An attacker can inject values into a PostgreSQL connection string by providing a parameter surrounded by single quotes.
Depending on how the library is used in the client software, this may allow an attacker to bypass the login process, gain access to the server's IP address, etc.
Patches
The vulnerability is fixed in ADOdb versions 5.20.21 (952de6c4273d9b1e91c2b838044f8c2111150c29) and 5.21.4 or later (b4d5ce70034c5aac3a1d51d317d93c037a0938d2).
The simplest patch is to delete line 29 in drivers/adodb-postgres64.inc.php:
diff --git a/drivers/adodb-postgres64.inc.php b/drivers/adodb-postgres64.inc.php
index d04b7f67..729d7141 100644
--- a/drivers/adodb-postgres64.inc.php
+++ b/drivers/adodb-postgres64.inc.php
@@ -26,7 +26,6 @@ function adodb_addslashes($s)
{
$len = strlen($s);
if ($len == 0) return "''";
- if (strncmp($s,"'",1) === 0 && substr($s,$len-1) == "'") return $s; // already quoted
return "'".addslashes($s)."'";
}
Workarounds
Ensure the parameters passed to ADOConnection::connect() or related functions (nConnect(), pConnect()) are not surrounded by single quotes.
Credits
Thanks to Emmet Leahy (@meme-lord) of Sorcery Ltd for reporting this vulnerability, and to the huntr team for their support.
References
- Original issue report https://huntr.dev/bounties/bdf5f216-4499-4225-a737-b28bc6f5801c/
- ADOdb reference issue #793
For more information
If you have any questions or comments about this advisory:
- Add a note in issue #793
- Contact the maintainers on Gitter
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NW1qLTdjODYtNzlqZs0mAA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-65mj-7c86-79jf, CVE-2021-3850
References:
- https://github.com/ADOdb/ADOdb/security/advisories/GHSA-65mj-7c86-79jf
- https://github.com/ADOdb/ADOdb/issues/793
- https://github.com/ADOdb/ADOdb/commit/952de6c4273d9b1e91c2b838044f8c2111150c29
- https://github.com/ADOdb/ADOdb/commit/b4d5ce70034c5aac3a1d51d317d93c037a0938d2
- https://nvd.nist.gov/vuln/detail/CVE-2021-3850
- https://huntr.dev/bounties/bdf5f216-4499-4225-a737-b28bc6f5801c
- https://lists.debian.org/debian-lts-announce/2022/02/msg00006.html
- https://www.debian.org/security/2022/dsa-5101
- https://github.com/advisories/GHSA-65mj-7c86-79jf
Blast Radius: 22.7
Affected Packages
packagist:adodb/adodb-php
Dependent packages: 31Dependent repositories: 309
Downloads: 2,203,469 total
Affected Version Ranges: >= 5.21.0, <= 5.21.3, <= 5.20.20
Fixed in: 5.21.4, 5.20.21
All affected versions: 5.20.0, 5.20.1, 5.20.2, 5.20.3, 5.20.4, 5.20.5, 5.20.6, 5.20.7, 5.20.8, 5.20.9, 5.20.10, 5.20.11, 5.20.12, 5.20.13, 5.20.14, 5.20.15, 5.20.16, 5.20.17, 5.20.18, 5.20.19, 5.20.20, 5.21.0, 5.21.1, 5.21.2, 5.21.3
All unaffected versions: 5.20.21, 5.21.4, 5.22.0, 5.22.1, 5.22.2, 5.22.3, 5.22.4, 5.22.5, 5.22.6, 5.22.7