Full Report
phpPgAdmin is a PHP plugin for interacting Postgres databases via PHP. When a user logs in, there is verification that the beginning and end of the string have a single quote. Or, if it doesn't then the program does the quoting for you. There is no verification done on the input for this though. The verification allows for more than one field to be added, allowing for directive injection. For instance, 'testinguser' host='1.3.3.7' would change the host. Using this technique, we can change the host of the server. Why does this matter? We can trick the application to use our database for the login process! Since we know our password, this allows for a complete authentication bypass. A fun authentication bypass with the directive injection changing the location to authenticate to.
Analysis Summary
# Vulnerability: Authentication Bypass via Directive Injection in ADOdb
## CVE Details
- CVE ID: CVE-2021-3850
- CVSS Score: 8.1 (High) - *Estimate based on vendor advisory*
- CWE: CWE-88 (Improper Neutralization of Argument Delimiters in a Command) / CWE-94 (Code Injection)
## Affected Systems
- Products: ADOdb (Active Data Objects Data Base) library for PHP.
- Versions: Versions prior to 5.20.21 and 5.21.3.
- Configurations: Applications using ADOdb to interact with PostgreSQL databases where user input is processed by the `adodb_addslashes()` function for connection strings (e.g., phpPgAdmin).
## Vulnerability Description
The vulnerability exists within the `adodb_addslashes()` function, which is intended to sanitize input before it is inserted into a PostgreSQL connection string. The function logic contains a flaw: if the input string begins and ends with a single quote (`'`), the function assumes the string is already safely quoted and returns it without further validation or escaping.
An attacker can exploit this by providing a crafted string that maintains the required leading and trailing quotes but contains internal directives. For example, injecting `'user' host='1.3.3.7'` bypasses the filter, allowing the attacker to append or override connection parameters like `host`, `port`, or `dbname`.
## Exploitation
- Status: PoC available; documented in public research.
- Complexity: Low
- Attack Vector: Network
- Details: By manipulating the connection string, an attacker can redirect the authentication attempt to an external database server under their control. Once the application connects to the attacker-controlled database, the attacker can permit the login, successfully bypassing the application's authentication mechanism. It also allows bypassing local security checks in phpPgAdmin that prevent empty passwords or "root" logins.
## Impact
- Confidentiality: High (Full access to the database management interface)
- Integrity: High (Ability to modify data via the management panel)
- Availability: High (Ability to drop tables or disrupt database services)
## Remediation
### Patches
- **ADOdb 5.20.21:** Fixes the older stable branch.
- **ADOdb 5.21.4:** Standard release fix.
- The fix involves removing the logic that skips validation if quotes are detected at the start and end of a string.
### Workarounds
- Implement strict input validation on the application layer to ensure usernames and passwords do not contain single quotes or space characters before passing them to the ADOdb library.
## Detection
- **Indicators of Compromise:** Review web server and database logs for login attempts containing single quotes or unusual connection parameters (e.g., `host=`, `port=`) in the username field.
- **Detection Methods:** Static analysis of PHP code for usage of the vulnerable `adodb_addslashes()` function in ADOdb versions prior to 5.21.4.
## References
- Vendor Advisory: [https://github.com/ADOdb/ADOdb/security/advisories/GHSA-65mj-7c86-79jf](https://github.com/ADOdb/ADOdb/security/advisories/GHSA-65mj-7c86-79jf)
- Huntr.dev Report: [https://huntr.dev/bounties/bdf5f216-4499-4225-a737-b28bc6f5801c/](https://huntr.dev/bounties/bdf5f216-4499-4225-a737-b28bc6f5801c/)
- Sorcery Blog (Source): [https://blog.sorcery.ie/posts/adodb_auth_bypass/](https://blog.sorcery.ie/posts/adodb_auth_bypass/)