| Name | CVE-2006-0146 |
| Description | The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-1029-1, DSA-1030-1, DSA-1031-1 |
| Debian Bugs | 349985 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| cacti (PTS) | bullseye | 1.2.16+ds1-2+deb11u3 | fixed |
| bullseye (security) | 1.2.16+ds1-2+deb11u4 | fixed | |
| bookworm | 1.2.24+ds1-1+deb12u4 | fixed | |
| bookworm (security) | 1.2.24+ds1-1+deb12u2 | fixed | |
| sid, trixie | 1.2.28+ds1-2 | fixed | |
| libphp-adodb (PTS) | bullseye (security), bullseye | 5.20.19-1+deb11u1 | fixed |
| bookworm | 5.21.4-1 | fixed | |
| sid, trixie | 5.22.7-0.1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| cacti | source | sarge | 0.8.6c-7sarge3 | DSA-1031-1 | ||
| cacti | source | (unstable) | 0.8.6d-1 | medium | ||
| libphp-adodb | source | woody | 1.51-1.2 | DSA-1029-1 | ||
| libphp-adodb | source | sarge | 4.52-1sarge1 | DSA-1029-1 | ||
| libphp-adodb | source | (unstable) | 4.72-0.1 | medium | 349985 | |
| moodle | source | sarge | 1.4.4.dfsg.1-3sarge1 | DSA-1030-1 | ||
| moodle | source | (unstable) | 1.6.3-2 | medium |
exact moodle fixed version not known, but at least <= 1.6.3-2