[VIM] phpESP ADODB fix is for old ADODB vuln
Steven M. Christey
coley at mitre.org
Mon Jun 5 11:53:13 EDT 2006
FYI, from one of our CVE analysts here...
Ref: CVE-2006-0806 - ADODB XSS
At issue here was a very short changelog entry for phpESP 1.8.2 that
says "FIXED ADODB SQL INJECT issue."
http://sourceforge.net/project/shownotes.php?release_id=419843&group_id=8956
For us at CVE, the mention of ADODB isn't enough to prove that it's
really addressing CVE-2006-0806. Obviously there's the different bug
type, but in addition, there could be an error in how phpESP *uses*
adodb (e.g. consider the recent MailManager "postgresql" hole).
So...
using this diff here:
http://phpesp.cvs.sourceforge.net/phpesp/phpESP/admin/include/lib/adodb/adodb-pager.inc.php?r1=1.1&r2=1.2
The analyst was able to conclude:
ACCURACY: The 1.8.2 changelog entry for Matthew Gregg and James
Flemer php Easy Survey Package (phpESP) says "FIXED ADODB SQL INJECT
issue." However, apparently the only ADODB-related source-code
change in phpESP 1.8.2 is one that addresses the Cross Site
Scripting issues in ADODB 4.71. Specifically, the code change
matches what is described in the GulfTech advisory for curr_page and
PHP_SELF. It is unclear why the changelog says "SQL INJECT" when
Matthew Gregg wrote "fix for ADODB XSS vulnerability" in his CVS
commit message. Probably he meant to write XSS in the changelog but
inadvertently wrote SQL INJECT instead.
More information about the VIM
mailing list