CVE-2006-0146

NameCVE-2006-0146
DescriptionThe server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-1029-1, DSA-1030-1, DSA-1031-1
NVD severityhigh (attack range: remote)
Debian Bugs349985
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cacti (PTS)squeeze (security), squeeze0.8.7g-1+squeeze3fixed
squeeze (lts)0.8.7g-1+squeeze5fixed
wheezy, wheezy (security)0.8.8a+dfsg-5+deb7u4fixed
jessie, sid0.8.8b+dfsg-8fixed
libphp-adodb (PTS)squeeze5.10-1fixed
jessie, sid, wheezy5.15-1fixed
moodle (PTS)squeeze1.9.9.dfsg2-2.1+squeeze4fixed
squeeze (security)1.9.9.dfsg2-2.1+squeeze3fixed
sid2.7.5+dfsg-2fixed

The information above is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cactisource(unstable)0.8.6d-1medium
cactisourcesarge0.8.6c-7sarge3highDSA-1031-1
libphp-adodbsource(unstable)4.72-0.1medium349985
libphp-adodbsourcesarge4.52-1sarge1highDSA-1029-1
libphp-adodbsourcewoody1.51-1.2highDSA-1029-1
moodlesource(unstable)1.6.3-2medium
moodlesourcesarge1.4.4.dfsg.1-3sarge1highDSA-1030-1

Notes

exact moodle fixed version not known, but at least <= 1.6.3-2

Search for package or bug name: Reporting problems