CVE-2016-7405

NameCVE-2016-7405
DescriptionThe qstr method in the PDO driver in the ADOdb Library for PHP before 5.x before 5.20.7 might allow remote attackers to conduct SQL injection attacks via vectors related to incorrect quoting.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-620-1
Debian Bugs837211

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libphp-adodb (PTS)jessie, jessie (lts)5.15-1+deb8u2fixed
stretch (security), stretch (lts), stretch5.20.9-1+deb9u1fixed
buster (security), buster, buster (lts)5.20.14-1+deb10u1fixed
bullseye (security), bullseye5.20.19-1+deb11u1fixed
bookworm5.21.4-1fixed
sid, trixie5.22.7-0.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libphp-adodbsourcewheezy5.15-1+deb7u1DLA-620-1
libphp-adodbsourcejessie5.15-1+deb8u1
libphp-adodbsource(unstable)5.20.6-1837211

Notes

https://github.com/ADOdb/ADOdb/issues/226
https://github.com/ADOdb/ADOdb/commit/bd9eca9
Issue only with the PDO driver and only if queries built by inlining
the quoted string (not recommended).
https://www.openwall.com/lists/oss-security/2016/09/07/8
Search for package or bug name: Reporting problems