GHSA-65MJ-7C86-79JF

Vulnerability from github – Published: 2022-01-27 15:23 – Updated: 2022-02-07 22:34
VLAI?
Summary
Authentication Bypass in ADOdb/ADOdb
Details

Impact

An attacker can inject values into a PostgreSQL connection string by providing a parameter surrounded by single quotes.

Depending on how the library is used in the client software, this may allow an attacker to bypass the login process, gain access to the server's IP address, etc.

Patches

The vulnerability is fixed in ADOdb versions 5.20.21 (952de6c4273d9b1e91c2b838044f8c2111150c29) and 5.21.4 or later (b4d5ce70034c5aac3a1d51d317d93c037a0938d2).

The simplest patch is to delete line 29 in drivers/adodb-postgres64.inc.php:

diff --git a/drivers/adodb-postgres64.inc.php b/drivers/adodb-postgres64.inc.php
index d04b7f67..729d7141 100644
--- a/drivers/adodb-postgres64.inc.php
+++ b/drivers/adodb-postgres64.inc.php
@@ -26,7 +26,6 @@ function adodb_addslashes($s)
 {
    $len = strlen($s);
    if ($len == 0) return "''";
-   if (strncmp($s,"'",1) === 0 && substr($s,$len-1) == "'") return $s; // already quoted

    return "'".addslashes($s)."'";
 }

Workarounds

Ensure the parameters passed to ADOConnection::connect() or related functions (nConnect(), pConnect()) are not surrounded by single quotes.

Credits

Thanks to Emmet Leahy (@meme-lord) of Sorcery Ltd for reporting this vulnerability, and to the huntr team for their support.

References

  • Original issue report https://huntr.dev/bounties/bdf5f216-4499-4225-a737-b28bc6f5801c/
  • ADOdb reference issue #793

For more information

If you have any questions or comments about this advisory: * Add a note in issue #793 * Contact the maintainers on Gitter

Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.20.20"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "adodb/adodb-php"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.20.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.21.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "adodb/adodb-php"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.21.0"
            },
            {
              "fixed": "5.21.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3850"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-305"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-24T22:39:29Z",
    "nvd_published_at": "2022-01-25T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nAn attacker can inject values into a PostgreSQL connection string by providing a parameter surrounded by single quotes.\n\nDepending on how the library is used in the client software, this may allow an attacker to bypass the login process, gain access to the server\u0027s IP address, etc.\n\n### Patches\n\nThe vulnerability is fixed in ADOdb versions 5.20.21 (952de6c4273d9b1e91c2b838044f8c2111150c29) and 5.21.4 or later (b4d5ce70034c5aac3a1d51d317d93c037a0938d2).\n\nThe simplest patch is to delete line 29 in `drivers/adodb-postgres64.inc.php`:\n\n```php\ndiff --git a/drivers/adodb-postgres64.inc.php b/drivers/adodb-postgres64.inc.php\nindex d04b7f67..729d7141 100644\n--- a/drivers/adodb-postgres64.inc.php\n+++ b/drivers/adodb-postgres64.inc.php\n@@ -26,7 +26,6 @@ function adodb_addslashes($s)\n {\n    $len = strlen($s);\n    if ($len == 0) return \"\u0027\u0027\";\n-   if (strncmp($s,\"\u0027\",1) === 0 \u0026\u0026 substr($s,$len-1) == \"\u0027\") return $s; // already quoted\n \n    return \"\u0027\".addslashes($s).\"\u0027\";\n }\n```\n\n### Workarounds\n\nEnsure the parameters passed to *ADOConnection::connect()* or related functions (_nConnect()_, _pConnect()_) are not surrounded by single quotes.\n\n### Credits\n\nThanks to **Emmet Leahy** (@meme-lord) of Sorcery Ltd for reporting this vulnerability, and to the [huntr](https://huntr.dev/) team for their support.\n\n### References\n\n- Original issue report https://huntr.dev/bounties/bdf5f216-4499-4225-a737-b28bc6f5801c/\n- ADOdb reference issue #793 \n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Add a note in issue #793\n* Contact the maintainers on [Gitter](https://gitter.im/adodb/adodb)\n",
  "id": "GHSA-65mj-7c86-79jf",
  "modified": "2022-02-07T22:34:28Z",
  "published": "2022-01-27T15:23:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ADOdb/ADOdb/security/advisories/GHSA-65mj-7c86-79jf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3850"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ADOdb/ADOdb/issues/793"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ADOdb/ADOdb/commit/952de6c4273d9b1e91c2b838044f8c2111150c29"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ADOdb/ADOdb/commit/b4d5ce70034c5aac3a1d51d317d93c037a0938d2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ADOdb/ADOdb"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/bdf5f216-4499-4225-a737-b28bc6f5801c"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5101"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authentication Bypass in ADOdb/ADOdb"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.