0006650: ADOdb can be exploited to execute arbitrary SQL code - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0006650	mantisbt	security	public	2006-01-29 16:17	2006-10-09 11:55

Reporter	vboctor	Assigned To	vboctor
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.0.0rc4
Fixed in Version	1.0.0

Summary	0006650: ADOdb can be exploited to execute arbitrary SQL code
Description	Secunia Research has discovered that Mantis stores test scripts for the ADOdb library insecurely inside the web root. This can be exploited by malicious people to execute arbitrary SQL code if the MySQL password for the root user is empty. This may further be exploited to compromise a vulnerable system. The presence of the "server.php" and "tmssql.php" test scripts have been confirmed in versions 0.19.4 and 1.0.0rc4. Please respond as soon as possible. We have assigned Secunia Advisory SA18254 for the security issues. Please note that we are coordinating this between multiple vendors and thus consider knowledge of the security issues to be semi-public. Below is the original description of the security issues sent to the author of ADOdb Fri 30 Dec 2005: Secunia Research has discovered two security issues in ADOdb, which can be exploited by malicious people to execute arbitrary SQL code and disclose system information. 1) The problem is caused due to the presence of the insecure "server.php" test script. This can be exploited to execute arbitrary SQL code via the "sql" parameter. Example: http://[host]/server.php?sql=SELECT '[content]' INTO OUTFILE '[file]' (create an arbitrary PHP script in a directory inside the web root writable by the MySQL user) Successful exploitation requires that the MySQL password for the root user is empty and that the affected script is placed accessible inside the web root. 2) The problem is caused due to the presence of the insecure "tests/tmssql.php" test script. This can be exploited to call an arbitrary PHP function via the "do" parameter. Example: http://[host]/tests/tmssql.php?do=phpinfo Successful exploitation requires that the affected script is placed accessible inside the web root. The security issues have been confirmed in versions 4.66 and 4.68. Other versions may also be affected. -- Kind regards, Andreas Sandblad IT Security Specialist Secunia
Tags	No tags attached.

ryandesign 2006-01-31 15:49 reporter ~0012054	As far as I can tell, ADOdb 4.71 is no longer vulnerable... it now restricts connections to 127.0.0.1, tries by default to connect to MySQL with a non-blank password, and only allows certain specific PHP functions to be specified via GET parameter.

vboctor 2006-02-02 06:18 manager ~0012061	The first for now (until we upgrade to a patched version of ADODB) In core/adodb/server.php line 29, change $ACCEPTIP = ''; to $ACCEPTIP = '127.0.0.1'; Delete core/adodb/tests/ folder and all its contents.

vboctor 2006-02-02 06:25 manager ~0012062	This is now fixed on the 1.0.0rc5 branch, and hence will be included in 1.0.0rc6 or 1.0.0 whatever the next release is. It is also applied to the main trunk which means that it is applied to 1.1.0.