An gano wani rauni (CVE-3-2025) a cikin ɗakin karatu na ADOdb, wanda ake amfani da shi a yawancin ayyukan PHP don samun damar shiga DBMS kuma yana da kusan shigarwar miliyan 46337 daga ma'ajiyar Packagist, yana bawa mutum damar yin canji na tambayar SQL na al'ada. Matsalolin an sanya matsi mai mahimmanci (10 cikin 10). An daidaita rashin lafiyar a cikin sakin ADOdb 5.22.9.
Rashin lahani yana faruwa lokacin amfani da ADOdb tare da PostgreSQL DBMS a cikin aikace-aikacen da ke kiran hanyar pg_insert_id() da wuce bayanan waje mara tabbaci ta hanyar sigar sunan filin $. Matsalar tana faruwa ne ta hanyar kwaro a cikin direban ADOdb don PostgreSQL, mai alaƙa da rashin ingantaccen tserewa na musamman haruffa a cikin $ tablename da sigogin filin suna $, kafin a yi amfani da su a cikin aikin pg_insert_id () don samar da sunan jeri. $result=pg_query($this->_connectionID,'Zabi last_value DAGA '. $ tablename .'_'. $fieldname .'_seq');
source: budenet.ru
