A libphp-adodb security update has been released for Debian GNU/Linux 8 Extended LTS to address an issue where an attacker can inject values into the PostgreSQL connection string by bypassing adodb_addslashes().
ELA-560-1 libphp-adodb security update
Package libphp-adodb
ELA-560-1 libphp-adodb security update
Version 5.15-1+deb8u2
Related CVEs CVE-2021-3850
It was found that in libphp-adodb, a PHP database abstraction layer library, an attacker can inject values into the PostgreSQL connection string by bypassing adodb_addslashes(). The function can be bypassed in phppgadmin, for example, by surrounding the username in quotes and submitting with other parameters injected in between.
For Debian 8 jessie, these problems have been fixed in version 5.15-1+deb8u2.
We recommend that you upgrade your libphp-adodb packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
