The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter.

Several vulnerabilities have been discovered in libphp-adodb, the 'adodb' database abstraction layer for PHP, which is embedded in cacti, a frontend to rrdtool for monitoring systems and services. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2006-0146     Andreas Sandblad discovered that improper user input     sanitisation results in a potential remote SQL injection     vulnerability enabling an attacker to compromise     applications, access or modify data, or exploit     vulnerabilities in the underlying database     implementation. This requires the MySQL root password to     be empty. It is fixed by limiting access to the script     in question.

  - CVE-2006-0147     A dynamic code evaluation vulnerability allows remote     attackers to execute arbitrary PHP functions via the     'do' parameter.

  - CVE-2006-0410     Andy Staudacher discovered a SQL injection vulnerability     due to insufficient input sanitising that allows remote     attackers to execute arbitrary SQL commands.

  - CVE-2006-0806     GulfTech Security Research discovered multiple     cross-site scripting vulnerabilities due to improper     user-supplied input sanitisation. Attackers can exploit     these vulnerabilities to cause arbitrary scripts to be     executed in the browser of an unsuspecting user's     machine, or result in the theft of cookie-based     authentication credentials.

Several vulnerabilities have been discovered in libphp-adodb, the 'adodb' database abstraction layer for PHP, which is embedded in moodle, a course management system for online learning. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2006-0146     Andreas Sandblad discovered that improper user input     sanitisation results in a potential remote SQL injection     vulnerability enabling an attacker to compromise     applications, access or modify data, or exploit     vulnerabilities in the underlying database     implementation. This requires the MySQL root password to     be empty. It is fixed by limiting access to the script     in question.

  - CVE-2006-0147     A dynamic code evaluation vulnerability allows remote     attackers to execute arbitrary PHP functions via the     'do' parameter.

  - CVE-2006-0410     Andy Staudacher discovered a SQL injection vulnerability     due to insufficient input sanitising that allows remote     attackers to execute arbitrary SQL commands.

  - CVE-2006-0806     GulfTech Security Research discovered multiple     cross-site scripting vulnerabilities due to improper     user-supplied input sanitisation. Attackers can exploit     these vulnerabilities to cause arbitrary scripts to be     executed in the browser of an unsuspecting user's     machine, or result in the theft of cookie-based     authentication credentials.

Several vulnerabilities have been discovered in libphp-adodb, the 'adodb' database abstraction layer for PHP. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2006-0146     Andreas Sandblad discovered that improper user input     sanitisation results in a potential remote SQL injection     vulnerability enabling an attacker to compromise     applications, access or modify data, or exploit     vulnerabilities in the underlying database     implementation. This requires the MySQL root password to     be empty. It is fixed by limiting access to the script     in question.

  - CVE-2006-0147     A dynamic code evaluation vulnerability allows remote     attackers to execute arbitrary PHP functions via the     'do' parameter.

  - CVE-2006-0410     Andy Staudacher discovered a SQL injection vulnerability     due to insufficient input sanitising that allows remote     attackers to execute arbitrary SQL commands.

  - CVE-2006-0806     GulfTech Security Research discovered multiple     cross-site scripting vulnerabilities due to improper     user-supplied input sanitisation. Attackers can exploit     these vulnerabilities to cause arbitrary scripts to be     executed in the browser of an unsuspecting user's     machine, or result in the theft of cookie-based     authentication credentials.

Secunia reports :

A security issue has been discovered in LifeType, which can be exploited by malicious people to execute arbitrary SQL code and potentially compromise a vulnerable system.

The problem is caused due to the presence of the insecure 'server.php' test script.

The remote host is affected by the vulnerability described in GLSA-200604-07 (Cacti: Multiple vulnerabilities in included ADOdb)

    Several vulnerabilities have been identified in the copy of ADOdb     included in Cacti. Andreas Sandblad discovered a dynamic code     evaluation vulnerability (CVE-2006-0147) and a potential SQL injection     vulnerability (CVE-2006-0146). Andy Staudacher reported another SQL     injection vulnerability (CVE-2006-0410), and Gulftech Security     discovered multiple cross-site-scripting issues (CVE-2006-0806).
  Impact :

    Remote attackers could trigger these vulnerabilities by sending     malicious queries to the Cacti web application, resulting in arbitrary     code execution, database compromise through arbitrary SQL execution,     and malicious HTML or JavaScript code injection.
  Workaround :

    There is no known workaround at this time.

The remote host is running ADOdb, a database abstraction library for PHP. 

The installed version of ADOdb includes a test script named 'server.php' that fails to sanitize user input to the 'sql' parameter before using it in database queries.  An attacker can exploit this issue to launch SQL injection attacks against the underlying database.

ID	Name	Product	Family	Severity
22573	Debian DSA-1031-1 : cacti - several vulnerabilities	Nessus	Debian Local Security Checks	high
22572	Debian DSA-1030-1 : moodle - several vulnerabilities	Nessus	Debian Local Security Checks	high
22571	Debian DSA-1029-1 : libphp-adodb - several vulnerabilities	Nessus	Debian Local Security Checks	high
21388	FreeBSD : lifetype -- ADOdb 'server.php' Insecure Test Script Security Issue (116b0820-d59c-11da-8098-00123ffe8333)	Nessus	FreeBSD Local Security Checks	high
21231	GLSA-200604-07 : Cacti: Multiple vulnerabilities in included ADOdb	Nessus	Gentoo Local Security Checks	high
20385	ADOdb server.php sql Parameter SQL Injection	Nessus	CGI abuses	high

Detections

Analytics

CVE-2006-0146

critical

Tenable Plugins

high

high

high

high

high

high