[VIM] phpESP ADODB fix is for old ADODB vuln

Steven M. Christey coley at mitre.org
Mon Jun 5 11:53:13 EDT 2006


FYI, from one of our CVE analysts here...

Ref: CVE-2006-0806 - ADODB XSS

At issue here was a very short changelog entry for phpESP 1.8.2 that
says "FIXED ADODB SQL INJECT issue."

  http://sourceforge.net/project/shownotes.php?release_id=419843&group_id=8956


For us at CVE, the mention of ADODB isn't enough to prove that it's
really addressing CVE-2006-0806.  Obviously there's the different bug
type, but in addition, there could be an error in how phpESP *uses*
adodb (e.g. consider the recent MailManager "postgresql" hole).

So...

using this diff here:

  http://phpesp.cvs.sourceforge.net/phpesp/phpESP/admin/include/lib/adodb/adodb-pager.inc.php?r1=1.1&r2=1.2

The analyst was able to conclude:

  ACCURACY: The 1.8.2 changelog entry for Matthew Gregg and James
  Flemer php Easy Survey Package (phpESP) says "FIXED ADODB SQL INJECT
  issue."  However, apparently the only ADODB-related source-code
  change in phpESP 1.8.2 is one that addresses the Cross Site
  Scripting issues in ADODB 4.71. Specifically, the code change
  matches what is described in the GulfTech advisory for curr_page and
  PHP_SELF. It is unclear why the changelog says "SQL INJECT" when
  Matthew Gregg wrote "fix for ADODB XSS vulnerability" in his CVS
  commit message. Probably he meant to write XSS in the changelog but
  inadvertently wrote SQL INJECT instead.


More information about the VIM mailing list