Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Adodb | John_lim | 4.66 (including) | 4.66 (including) |
| Adodb | John_lim | 4.68 (including) | 4.68 (including) |
| Mantis | Mantis | 0.19.4 (including) | 0.19.4 (including) |
| Mantis | Mantis | 1.0.0_rc4 (including) | 1.0.0_rc4 (including) |
| Moodle | Moodle | 1.5.3 (including) | 1.5.3 (including) |
| Postnuke | Postnuke_software_foundation | 0.761 (including) | 0.761 (including) |
| Cacti | The_cacti_group | 0.8.6g (including) | 0.8.6g (including) |
| Libphp-adodb | Ubuntu | dapper | * |
| Libphp-adodb | Ubuntu | devel | * |
| Libphp-adodb | Ubuntu | edgy | * |
| Libphp-adodb | Ubuntu | feisty | * |
| Libphp-adodb | Ubuntu | gutsy | * |
References
- http://retrogod.altervista.org/phpopenchat_30x_sql_xpl.html
- http://retrogod.altervista.org/simplog_092_incl_xpl.html
- http://secunia.com/advisories/17418
- http://secunia.com/advisories/18233
- http://secunia.com/advisories/18254
- http://secunia.com/advisories/18260
- http://secunia.com/advisories/18267
- http://secunia.com/advisories/18276
- http://secunia.com/advisories/19555
- http://secunia.com/advisories/19590
- http://secunia.com/advisories/19591
- http://secunia.com/advisories/19600
- http://secunia.com/advisories/19628
- http://secunia.com/advisories/19691
- http://secunia.com/secunia_research/2005-64/advisory/
- http://www.debian.org/security/2006/dsa-1029
- http://www.debian.org/security/2006/dsa-1030
- http://www.debian.org/security/2006/dsa-1031
- http://www.gentoo.org/security/en/glsa/glsa-200604-07.xml
- http://www.osvdb.org/22291
- http://www.securityfocus.com/archive/1/430448/100/0/threaded
- http://www.securityfocus.com/archive/1/430743/100/0/threaded
- http://www.vupen.com/english/advisories/2006/0101
- http://www.vupen.com/english/advisories/2006/0102
- http://www.vupen.com/english/advisories/2006/0103
- http://www.vupen.com/english/advisories/2006/0104
- http://www.vupen.com/english/advisories/2006/1305
- http://www.vupen.com/english/advisories/2006/1332
- https://exchange.xforce.ibmcloud.com/vulnerabilities/24052
- https://www.exploit-db.com/exploits/1663
- http://retrogod.altervista.org/phpopenchat_30x_sql_xpl.html
- http://retrogod.altervista.org/simplog_092_incl_xpl.html
- http://secunia.com/advisories/17418
- http://secunia.com/advisories/18233
- http://secunia.com/advisories/18254
- http://secunia.com/advisories/18260
- http://secunia.com/advisories/18267
- http://secunia.com/advisories/18276
- http://secunia.com/advisories/19555
- http://secunia.com/advisories/19590
- http://secunia.com/advisories/19591
- http://secunia.com/advisories/19600
- http://secunia.com/advisories/19628
- http://secunia.com/advisories/19691
- http://secunia.com/secunia_research/2005-64/advisory/
- http://www.debian.org/security/2006/dsa-1029
- http://www.debian.org/security/2006/dsa-1030
- http://www.debian.org/security/2006/dsa-1031
- http://www.gentoo.org/security/en/glsa/glsa-200604-07.xml
- http://www.osvdb.org/22291
- http://www.securityfocus.com/archive/1/430448/100/0/threaded
- http://www.securityfocus.com/archive/1/430743/100/0/threaded
- http://www.vupen.com/english/advisories/2006/0101
- http://www.vupen.com/english/advisories/2006/0102
- http://www.vupen.com/english/advisories/2006/0103
- http://www.vupen.com/english/advisories/2006/0104
- http://www.vupen.com/english/advisories/2006/1305
- http://www.vupen.com/english/advisories/2006/1332
- https://exchange.xforce.ibmcloud.com/vulnerabilities/24052
- https://www.exploit-db.com/exploits/1663