Headline
GHSA-8x27-jwjr-8545: SQL injection in ADOdb PostgreSQL driver pg_insert_id() method
Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data.
Note that the indicated Severity corresponds to a worst-case usage scenario.
Impact
PostgreSQL drivers (postgres64, postgres7, postgres8, postgres9).
Patches
Vulnerability is fixed in ADOdb 5.22.9 (11107d6d6e5160b62e05dff8a3a2678cf0e3a426).
Workarounds
Only pass controlled data to pg_insert_id() method’s $fieldname parameter, or escape it with pg_escape_identifier() first.
Credits
Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability.
Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data.
Note that the indicated Severity corresponds to a worst-case usage scenario.
Impact
PostgreSQL drivers (postgres64, postgres7, postgres8, postgres9).
Patches
Vulnerability is fixed in ADOdb 5.22.9 (11107d6d6e5160b62e05dff8a3a2678cf0e3a426).
Workarounds
Only pass controlled data to pg_insert_id() method’s $fieldname parameter, or escape it with pg_escape_identifier() first.
Credits
Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability.
References
- GHSA-8x27-jwjr-8545
- ADOdb/ADOdb#1070
- ADOdb/ADOdb@11107d6