The remote host is running ADOdb, a database abstraction library for PHP. 

The installed version of ADOdb includes a test script named 'server.php' that fails to sanitize user input to the 'sql' parameter before using it in database queries.  An attacker can exploit this issue to launch SQL injection attacks against the underlying database.

リモートホストは、PHPのデータベース抽象化ライブラリであるADOdbを実行しています。 

インストールされているバージョンのADOdbには、「server.php」という名前のテストスクリプトが含まれており、データベースクエリでの実行前に「sql」パラメーターへのユーザー入力のサニタイズに失敗します。攻撃者がこの問題を悪用して、基盤となるデータベースに対してSQLインジェクション攻撃を仕掛ける可能性があります。

遠端主機正在執行 ADOdb，這是一個適用於 PHP 的資料庫提取程式庫。 

安裝的 ADOdb 版本包含一個名為「server.php」的測試指令碼，其未清理「sql」參數的使用者輸入資料便將它用於資料庫查詢。攻擊者可利用此問題對底層資料庫發動 SQL 注入攻擊。

The remote host is affected by the vulnerability described in GLSA-200604-07 (Cacti: Multiple vulnerabilities in included ADOdb)

    Several vulnerabilities have been identified in the copy of ADOdb     included in Cacti. Andreas Sandblad discovered a dynamic code     evaluation vulnerability (CVE-2006-0147) and a potential SQL injection     vulnerability (CVE-2006-0146). Andy Staudacher reported another SQL     injection vulnerability (CVE-2006-0410), and Gulftech Security     discovered multiple cross-site-scripting issues (CVE-2006-0806).
  Impact :

    Remote attackers could trigger these vulnerabilities by sending     malicious queries to the Cacti web application, resulting in arbitrary     code execution, database compromise through arbitrary SQL execution,     and malicious HTML or JavaScript code injection.
  Workaround :

    There is no known workaround at this time.

Secunia reports :

A security issue has been discovered in LifeType, which can be exploited by malicious people to execute arbitrary SQL code and potentially compromise a vulnerable system.

The problem is caused due to the presence of the insecure 'server.php' test script.

Several vulnerabilities have been discovered in libphp-adodb, the 'adodb' database abstraction layer for PHP. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2006-0146     Andreas Sandblad discovered that improper user input     sanitisation results in a potential remote SQL injection     vulnerability enabling an attacker to compromise     applications, access or modify data, or exploit     vulnerabilities in the underlying database     implementation. This requires the MySQL root password to     be empty. It is fixed by limiting access to the script     in question.

  - CVE-2006-0147     A dynamic code evaluation vulnerability allows remote     attackers to execute arbitrary PHP functions via the     'do' parameter.

  - CVE-2006-0410     Andy Staudacher discovered a SQL injection vulnerability     due to insufficient input sanitising that allows remote     attackers to execute arbitrary SQL commands.

  - CVE-2006-0806     GulfTech Security Research discovered multiple     cross-site scripting vulnerabilities due to improper     user-supplied input sanitisation. Attackers can exploit     these vulnerabilities to cause arbitrary scripts to be     executed in the browser of an unsuspecting user's     machine, or result in the theft of cookie-based     authentication credentials.

Several vulnerabilities have been discovered in libphp-adodb, the 'adodb' database abstraction layer for PHP, which is embedded in moodle, a course management system for online learning. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2006-0146     Andreas Sandblad discovered that improper user input     sanitisation results in a potential remote SQL injection     vulnerability enabling an attacker to compromise     applications, access or modify data, or exploit     vulnerabilities in the underlying database     implementation. This requires the MySQL root password to     be empty. It is fixed by limiting access to the script     in question.

  - CVE-2006-0147     A dynamic code evaluation vulnerability allows remote     attackers to execute arbitrary PHP functions via the     'do' parameter.

  - CVE-2006-0410     Andy Staudacher discovered a SQL injection vulnerability     due to insufficient input sanitising that allows remote     attackers to execute arbitrary SQL commands.

  - CVE-2006-0806     GulfTech Security Research discovered multiple     cross-site scripting vulnerabilities due to improper     user-supplied input sanitisation. Attackers can exploit     these vulnerabilities to cause arbitrary scripts to be     executed in the browser of an unsuspecting user's     machine, or result in the theft of cookie-based     authentication credentials.

Several vulnerabilities have been discovered in libphp-adodb, the 'adodb' database abstraction layer for PHP, which is embedded in cacti, a frontend to rrdtool for monitoring systems and services. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2006-0146     Andreas Sandblad discovered that improper user input     sanitisation results in a potential remote SQL injection     vulnerability enabling an attacker to compromise     applications, access or modify data, or exploit     vulnerabilities in the underlying database     implementation. This requires the MySQL root password to     be empty. It is fixed by limiting access to the script     in question.

  - CVE-2006-0147     A dynamic code evaluation vulnerability allows remote     attackers to execute arbitrary PHP functions via the     'do' parameter.

  - CVE-2006-0410     Andy Staudacher discovered a SQL injection vulnerability     due to insufficient input sanitising that allows remote     attackers to execute arbitrary SQL commands.

  - CVE-2006-0806     GulfTech Security Research discovered multiple     cross-site scripting vulnerabilities due to improper     user-supplied input sanitisation. Attackers can exploit     these vulnerabilities to cause arbitrary scripts to be     executed in the browser of an unsuspecting user's     machine, or result in the theft of cookie-based     authentication credentials.

ID	名前	製品	ファミリー	公開日	更新日	深刻度
20385	ADOdb server.php sql Parameter SQL Injection	Nessus	CGI abuses	2006/1/10	2022/4/11	high
20385	ADOdb server.php sqlパラメーターのSQLインジェクション	Nessus	CGI abuses	2006/1/10	2022/4/11	high
20385	ADOdb server.php sql 參數 SQL 注入攻擊	Nessus	CGI abuses	2006/1/10	2022/4/11	high
21231	GLSA-200604-07 : Cacti: Multiple vulnerabilities in included ADOdb	Nessus	Gentoo Local Security Checks	2006/4/17	2021/1/6	high
21388	FreeBSD : lifetype -- ADOdb 'server.php' Insecure Test Script Security Issue (116b0820-d59c-11da-8098-00123ffe8333)	Nessus	FreeBSD Local Security Checks	2006/5/13	2021/1/6	high
22571	Debian DSA-1029-1 : libphp-adodb - several vulnerabilities	Nessus	Debian Local Security Checks	2006/10/14	2021/1/4	high
22572	Debian DSA-1030-1 : moodle - several vulnerabilities	Nessus	Debian Local Security Checks	2006/10/14	2021/1/4	high
22573	Debian DSA-1031-1 : cacti - several vulnerabilities	Nessus	Debian Local Security Checks	2006/10/14	2021/1/4	high

検出

プラグインの検索

high

high

high

high

high

high

high

high