what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

secunia-ADOdb.txt

secunia-ADOdb.txt
Posted Jan 10, 2006
Authored by Andreas Sandblad | Site secunia.com

Secunia Research has discovered two security issues in ADOdb, which can be exploited by malicious people to disclose system information, execute arbitrary SQL code, and potentially compromise a vulnerable system. Details provided. ADOdb versions 4.66 and 4.68 for PHP are affected.

tags | exploit, arbitrary, php
SHA-256 | a212b5763393fa5ec35a8dfe35d726cc4f7c2a8000c581074fd8516fbf88411b

secunia-ADOdb.txt

Change Mirror Download
======================================================================

Secunia Research 09/01/2006

- ADOdb Insecure Test Scripts Security Issues -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Security Issues.......................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

ADOdb versions 4.66 and 4.68 for PHP

The following applications have been confirmed to insecurely bundle
test scripts for the ADOdb library:
* Mantis versions 0.19.4 and 1.0.0rc4
* PostNuke version 0.761 (only security issue #1)
* Moodle version 1.5.3
* Cacti version 0.8.6g (only security issue #1)

Other versions may also be affected.

======================================================================
2) Severity

Rating: Less critical
Impact: System access
Exposure of system information
Security bypass
Where: Remote

======================================================================
3) Vendor's Description of Software

ADOdb is a database abstraction library for PHP.

Product link:
http://adodb.sourceforge.net/

======================================================================
4) Description of Security Issues

Secunia Research has discovered two security issues in ADOdb, which
can be exploited by malicious people to disclose system information,
execute arbitrary SQL code, and potentially compromise a vulnerable
system.

1) The problem is caused due to the presence of the insecure
"server.php" test script. This can be exploited to execute arbitrary
SQL code with full MySQL database privileges via the "sql" parameter.

Example:
http://[victim]/server.php?sql=SELECT '[content]' INTO OUTFILE '[file]'

This can further be exploited to create an arbitrary PHP script in a
directory inside the web root writable by the MySQL user.

Successful exploitation requires that the MySQL password for the root
user is empty and that the affected script is placed accessible
inside the web root.

2) The problem is caused due to the presence of the insecure
"tests/tmssql.php" test script. This can be exploited to call an
arbitrary PHP function via the "do" parameter.

Example:
http://[victim]/tests/tmssql.php?do=phpinfo

Successful exploitation requires that the affected script is placed
accessible inside the web root.

The security issues have been confirmed in versions 4.66 and 4.68 for
PHP. Other versions may also be affected.

======================================================================
5) Solution

ADOdb:
Update to version 4.70 for PHP.
http://sourceforge.net/project/showfiles.php?group_id=42718

Mantis:
Restrict web access to PHP scripts in the "core/adodb" directory
(e.g. with a .htaccess file).

PostNuke:
Update to version 0.761a.
http://downloads.postnuke.com/

Moodle:
The security issues have been fixed in the latest stable branch
(Moodle 1.5.3 +).

Cacti:
Update to version 0.8.6h.
http://www.cacti.net/download_cacti.php

======================================================================
6) Time Table

30/12/2005 - Initial vendor notification.
03/01/2006 - Other affected vendors notified.
05/01/2006 - Initial vendor reply.
08/01/2006 - New version of ADOdb released.
09/01/2006 - Public disclosure.

======================================================================
7) Credits

Discovered by Andreas Sandblad, Secunia Research.

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-64/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close