CVE-2006-0146

NameCVE-2006-0146
DescriptionThe server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1029-1, DSA-1030-1, DSA-1031-1
NVD severityhigh (attack range: remote)
Debian Bugs349985

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cacti (PTS)jessie0.8.8b+dfsg-8+deb8u6fixed
jessie (security)0.8.8b+dfsg-8+deb8u4fixed
stretch0.8.8h+ds1-10fixed
buster, sid1.1.38+ds1-1fixed
libphp-adodb (PTS)jessie5.15-1+deb8u1fixed
stretch5.20.9-1fixed
buster, sid5.20.12-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cactisource(unstable)0.8.6d-1medium
cactisourcesarge0.8.6c-7sarge3highDSA-1031-1
libphp-adodbsource(unstable)4.72-0.1medium349985
libphp-adodbsourcesarge4.52-1sarge1highDSA-1029-1
libphp-adodbsourcewoody1.51-1.2highDSA-1029-1
moodlesource(unstable)1.6.3-2medium
moodlesourcesarge1.4.4.dfsg.1-3sarge1highDSA-1030-1

Notes

exact moodle fixed version not known, but at least <= 1.6.3-2

Search for package or bug name: Reporting problems