How the CVE Works:
The vulnerability occurs in ADOdb’s PostgreSQL drivers (postgres64, postgres7, postgres8, postgres9) due to improper escaping of the `$fieldname` parameter in the `pg_insert_id()` function. When user-controlled input is passed directly into this function without sanitization, an attacker can manipulate SQL queries by injecting malicious payloads. This leads to arbitrary SQL execution on the PostgreSQL database. The flaw arises because the function fails to properly escape identifiers before constructing the query, allowing attackers to break out of the intended SQL syntax and execute unauthorized commands.
DailyCVE Form:
Platform: ADOdb
Version: <5.22.9
Vulnerability: SQL Injection
Severity: Critical
Date: 2023-XX-XX
What Undercode Say:
Exploitation:
// Malicious payload example $maliciousField = "id; DROP TABLE users; --"; $db->pg_insert_id($maliciousField);
This injects a destructive SQL command when `pg_insert_id()` processes the unsanitized input.
Detection:
grep -r "pg_insert_id(" /path/to/code
Check for unsanitized user input passed to `pg_insert_id()`.
Protection:
1. Update ADOdb:
composer require adodb/adodb-php:5.22.9
2. Manual Sanitization:
$safeField = pg_escape_identifier($userInput); $db->pg_insert_id($safeField);
3. Input Validation:
if (!preg_match('/^[a-zA-Z_][a-zA-Z0-9_]$/', $fieldname)) {
throw new Exception("Invalid field name");
}
PostgreSQL Audit:
-- Check for suspicious queries SELECT usename, query FROM pg_stat_activity WHERE query LIKE '%DROP%';
Mitigation Commands:
Restrict database user privileges ALTER ROLE app_user NOSUPERUSER NOCREATEDB NOCREATEROLE;
Logging & Monitoring:
// Enable ADOdb debug logging $db->debug = true;
Patch Verification:
git clone https://github.com/ADOdb/ADOdb git checkout 11107d6d6e5160b62e05dff8a3a2678cf0e3a426
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
