CVE-2016-7405

NameCVE-2016-7405
DescriptionThe qstr method in the PDO driver in the ADOdb Library for PHP before 5.x before 5.20.7 might allow remote attackers to conduct SQL injection attacks via vectors related to incorrect quoting.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-620-1
NVD severityhigh
Debian Bugs837211

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libphp-adodb (PTS)stretch5.20.9-1fixed
buster5.20.14-1fixed
bullseye, sid5.20.17-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libphp-adodbsource(unstable)5.20.6-1837211
libphp-adodbsourcejessie5.15-1+deb8u1
libphp-adodbsourcewheezy5.15-1+deb7u1DLA-620-1

Notes

https://github.com/ADOdb/ADOdb/issues/226
https://github.com/ADOdb/ADOdb/commit/bd9eca9
Issue only with the PDO driver and only if queries built by inlining
the quoted string (not recommended).
http://www.openwall.com/lists/oss-security/2016/09/07/8

Search for package or bug name: Reporting problems