Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAndreas SandbladPACKETSTORM:42933
HistoryJan 10, 2006 - 12:00 a.m.

secunia-ADOdb.txt

2006-01-1000:00:00
Andreas Sandblad
packetstormsecurity.com
20
JSON
`======================================================================  
  
Secunia Research 09/01/2006  
  
- ADOdb Insecure Test Scripts Security Issues -  
  
======================================================================  
Table of Contents  
  
Affected Software....................................................1  
Severity.............................................................2  
Vendor's Description of Software.....................................3  
Description of Security Issues.......................................4  
Solution.............................................................5  
Time Table...........................................................6  
Credits..............................................................7  
About Secunia........................................................8  
Verification.........................................................9  
  
======================================================================  
1) Affected Software  
  
ADOdb versions 4.66 and 4.68 for PHP  
  
The following applications have been confirmed to insecurely bundle   
test scripts for the ADOdb library:  
* Mantis versions 0.19.4 and 1.0.0rc4  
* PostNuke version 0.761 (only security issue #1)  
* Moodle version 1.5.3  
* Cacti version 0.8.6g (only security issue #1)  
  
Other versions may also be affected.  
  
======================================================================  
2) Severity  
  
Rating: Less critical  
Impact: System access  
Exposure of system information  
Security bypass  
Where: Remote  
  
======================================================================  
3) Vendor's Description of Software  
  
ADOdb is a database abstraction library for PHP.  
  
Product link:  
http://adodb.sourceforge.net/  
  
======================================================================  
4) Description of Security Issues  
  
Secunia Research has discovered two security issues in ADOdb, which   
can be exploited by malicious people to disclose system information,   
execute arbitrary SQL code, and potentially compromise a vulnerable   
system.  
  
1) The problem is caused due to the presence of the insecure   
"server.php" test script. This can be exploited to execute arbitrary   
SQL code with full MySQL database privileges via the "sql" parameter.  
  
Example:  
http://[victim]/server.php?sql=SELECT '[content]' INTO OUTFILE '[file]'  
  
This can further be exploited to create an arbitrary PHP script in a   
directory inside the web root writable by the MySQL user.  
  
Successful exploitation requires that the MySQL password for the root   
user is empty and that the affected script is placed accessible   
inside the web root.  
  
2) The problem is caused due to the presence of the insecure   
"tests/tmssql.php" test script. This can be exploited to call an   
arbitrary PHP function via the "do" parameter.  
  
Example:  
http://[victim]/tests/tmssql.php?do=phpinfo  
  
Successful exploitation requires that the affected script is placed   
accessible inside the web root.  
  
The security issues have been confirmed in versions 4.66 and 4.68 for   
PHP. Other versions may also be affected.  
  
======================================================================  
5) Solution  
  
ADOdb:  
Update to version 4.70 for PHP.  
http://sourceforge.net/project/showfiles.php?group_id=42718  
  
Mantis:  
Restrict web access to PHP scripts in the "core/adodb" directory   
(e.g. with a .htaccess file).  
  
PostNuke:  
Update to version 0.761a.  
http://downloads.postnuke.com/  
  
Moodle:  
The security issues have been fixed in the latest stable branch   
(Moodle 1.5.3 +).  
  
Cacti:  
Update to version 0.8.6h.  
http://www.cacti.net/download_cacti.php  
  
======================================================================  
6) Time Table  
  
30/12/2005 - Initial vendor notification.  
03/01/2006 - Other affected vendors notified.  
05/01/2006 - Initial vendor reply.  
08/01/2006 - New version of ADOdb released.  
09/01/2006 - Public disclosure.  
  
======================================================================  
7) Credits  
  
Discovered by Andreas Sandblad, Secunia Research.  
  
======================================================================  
8) About Secunia  
  
Secunia collects, validates, assesses, and writes advisories regarding  
all the latest software vulnerabilities disclosed to the public. These  
advisories are gathered in a publicly available database at the  
Secunia website:  
  
http://secunia.com/  
  
Secunia offers services to our customers enabling them to receive all  
relevant vulnerability information to their specific system  
configuration.  
  
Secunia offers a FREE mailing list called Secunia Security Advisories:  
  
http://secunia.com/secunia_security_advisories/  
  
======================================================================  
9) Verification  
  
Please verify this advisory by visiting the Secunia website:  
http://secunia.com/secunia_research/2005-64/advisory/  
  
Complete list of vulnerability reports published by Secunia Research:  
http://secunia.com/secunia_research/  
  
======================================================================  
  
`
JSON