Debian 10261 Published by

A libphp-adodb security update has been released for Debian GNU/Linux 8 Extended LTS to address an issue where an attacker can inject values into the PostgreSQL connection string by bypassing adodb_addslashes().



ELA-560-1 libphp-adodb security update

Package libphp-adodb
Version 5.15-1+deb8u2
Related CVEs CVE-2021-3850

It was found that in libphp-adodb, a PHP database abstraction layer library, an attacker can inject values into the PostgreSQL connection string by bypassing adodb_addslashes(). The function can be bypassed in phppgadmin, for example, by surrounding the username in quotes and submitting with other parameters injected in between.

For Debian 8 jessie, these problems have been fixed in version 5.15-1+deb8u2.

We recommend that you upgrade your libphp-adodb packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-560-1 libphp-adodb security update