Package: libphp-adodb / 5.15-1+deb8u1
Metadata
Package | Version | Patches format |
---|---|---|
libphp-adodb | 5.15-1+deb8u1 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
01_fix_broken_html_doc_links | (download) |
docs/docs-adodb.htm |
16 8 + 8 - 0 ! |
--- |
cve 2016 7405 | (download) |
drivers/adodb-pdo.inc.php |
24 24 + 0 - 0 ! |
pdo: fix incorrect quoting allowing sql injection The PDO driver was relying on ADOConnection::qstr() for quoting strings. An application relying on qstr() to manually prepare SQL statements rather than using parameterized queries may be vulnerable to SQL injection attacks, as demonstrated by @jdavidlists. . This commit delegates string quoting to PDO::quote() when a connection is available. If not, it simply replaces single quotes by the value of $replaceQuote property. |
cve 2016 4855 | (download) |
tests/test.php |
7 5 + 2 - 0 ! |
cve-2016-4855: xss vulnerability in old test script This issue was reported by JPCERT Coordination Center (JPCERT/CC) with reference JVN#48237713. . The root cause is a foreach loop processing all GET parameters and blindly assigning them to variables, allowing an attacker to replace contents of global variables. . This limits variable processing using a regex matching those used in testdatabases.inc.php (i.e. beginning with 'test' or 'no'). . Debian is not dirrectly affected by this, since test.php is only shipped in /usr/share/doc/libphp-adodb/examples/. |