Package: libphp-adodb / 5.15-1+deb8u1

Metadata

Package Version Patches format
libphp-adodb 5.15-1+deb8u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
01_fix_broken_html_doc_links | (download)

docs/docs-adodb.htm | 16 8 + 8 - 0 !
docs/docs-oracle.htm | 8 4 + 4 - 0 !
docs/docs-perf.htm | 4 2 + 2 - 0 !
docs/docs-session.htm | 2 1 + 1 - 0 !
docs/docs-session.old.htm | 2 1 + 1 - 0 !
docs/tips_portable_sql.htm | 2 1 + 1 - 0 !
docs/tute.htm | 6 3 + 3 - 0 !
7 files changed, 20 insertions(+), 20 deletions(-)

---
cve 2016 7405 | (download)

drivers/adodb-pdo.inc.php | 24 24 + 0 - 0 !
1 file changed, 24 insertions(+)

 pdo: fix incorrect quoting allowing sql injection
 The PDO driver was relying on ADOConnection::qstr() for quoting strings.
 An application relying on qstr() to manually prepare SQL statements
 rather than using parameterized queries may be vulnerable to SQL
 injection attacks, as demonstrated by @jdavidlists.
 .
 This commit delegates string quoting to PDO::quote() when a connection
 is available. If not, it simply replaces single quotes by the value of
 $replaceQuote property.
cve 2016 4855 | (download)

tests/test.php | 7 5 + 2 - 0 !
1 file changed, 5 insertions(+), 2 deletions(-)

 cve-2016-4855: xss vulnerability in old test script
 This issue was reported by JPCERT Coordination Center (JPCERT/CC) with
 reference JVN#48237713.
 .
 The root cause is a foreach loop processing all GET parameters and
 blindly assigning them to variables, allowing an attacker to
 replace contents of global variables.
 .
 This limits variable processing using a regex matching those used in
 testdatabases.inc.php (i.e. beginning with 'test' or 'no').
 .
 Debian is not dirrectly affected by this, since test.php is only
 shipped in /usr/share/doc/libphp-adodb/examples/.