Welcome to WebProNews Breaking eBusiness and Search News
Advertise | Newsletter | Sitemap | News Feeds News Feed 
 WebProNews Search Part of the iEntry network iEntry inc. 

SQL Injection Vulnerability

John Stith
Staff Writer
Published: 2006-01-24

WebProNews RSS Feed


A vulnerability was discovered in the ADOdb and can be exploited by hackers doing SQL injection attacks. The vulnerability only works on the PostgreSQL users. Andy Staudacher discovered the vulnerability and Secunia reported the issue as moderately critical on Tuesday.

The vulnerability itself showed up in previous version prior to the current 4.71 so the appropriate patchwork should be applied to all the previous version. The original release notes were posted at Sourceforge.net:

Recommended that all postgresql users upgrade to this version.
Fixes important postgresql security issues problems related
to binary strings. Thx to Andy Staudacher.

Also several DSN bugs fixed, including one introduced in 4.70
that corrupts underscores in the DSN, and in PHP5 DSN's did
not work. Added support for PDO DSN connections.


And the changes include:

DSN bugs found:

1. Fix bugs in DSN connections introduced in 4.70 when
underscores are found in the DSN.

2. DSN with _ did not work properly in PHP5 (fine in PHP4). Fixed.

3. Added support for PDO DSN connections in
NewADOConnection(), and database parameter in PDO::Connect().

Other bugs:

The oci8 datetime flag not correctly implemented in ADORecordSet_array. Fixed.

Added BlobDelete() to postgres, as a counterpoint to UpdateBlobFile().

Fixed GetInsertSQL() to support oci8po.

Fixed qstr() issue with postgresql with in strings.

Fixed some datadict driver loading issues in _adodb_getdriver().

Added register shutdown function session_write_close in adodb-session.inc.php for PHP 5 compat.


All this is in addition to other SQL injection vulnerabilities. On Monday, an injection vulnerability was found in Zoph. This one was rated as moderately critical and a vendor patch corrected the problem. This was also an injection vulnerability.

Secunia also discovered another SQL injection vulnerability in e-moBLOG. To exploit this, hackers must disable the "magic_quotes_gpc." While the vulnerability was confirmed in the 1.3 version, other versions could be affect also.

Input passed to the "monthy" parameter in index.php and the "login" parameter in admin/index.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

All these vulnerabilities showing up fairly close together suggests a little more editing might need to be done on these products. While they aren't all exactly the same, SQL was the key to each and all were injection vulnerabilities. In any event, make sure updates are maintained and this will help eliminate problems.


Email the author



Add to | DiggThis | Yahoo My Web



Receive Our Daily Email of Breaking eBusiness News


About the Author:
John Stith is a staff writer for WebProNews covering technology and business.

WebProNews RSS Feed

More Expert Articles Articles

Contact WebProNews
Advertisement





TOP NEWS

Targeted Information for Business
WebProNews is part of the iEntry network

Internet Business: Marketing: Small Business:
WebProNews MarketingNewz SmallBusinessNewz
WebProWorld AdvertisingDay PromoteNews
EcommNewz SalesNewz EntrepreneurNewz

Software: Search Engines: Web Design:
WebMasterFree Jayde B2B DesignNewz
NetworkingFiles SearchZA FlashNewz
SecurityConfig SearchNewz WebSiteNotes

Developer: IT Management: Security:
DevWebPro ITManagement SecurityProNews
DevNewz SysAdminNews SecurityConfig
TheDevWeb NetworkingFiles NetworkNewz

The iEntry Network consists of over 100 web publications reaching millions of Internet Professionals. Contact us to advertise.
eBUSINESS RESOURCES






 Advertise | Contact Us | Corporate | Newsletter | Sitemap | Submit an Article | News Feeds
 WebProNews is an iEntry, Inc. ® publication - $line) { echo $line ; } ?> All Rights Reserved
About WebProNews
WebProNews is the number one source for eBusiness News. Over 5 million eBusiness professionals read WebProNews and other iEntry business and tech publications.

WebProNews provides real-time coverage of internet business.

Free Email Newsletters:
WebProNews SearchNewz
WebProWorld DevWebPro
Marketing SecurityNews
Plus over 100 other newsletters!

Send me relevant info on products and services.


WebProWorld
Ten most recent posts.

NetworkingFiles
Featured Software

WebProNews in the News
View all recent mentions of WebProNews from around the world!

Recent Articles On ...
Google eBusiness
Yahoo Ask Jeeves
MSN Blogs
Search Engines Blogging
Affiliate Programs Marketing
eCommerce Advertising
eBay Sun Microsystems
AOL Adsense
Microsoft Adwords
Oracle IBM
Amazon Apple
SEM Mac
SEO iPod
Adsense XBox
PR Adobe



iEntry.com WebProWorld RSS Feed WebProWorld Contact WebProNews Print Version Email a friend Bookmark us