CVE-2006-0147

Name of the Vulnerable Software and Affected Versions ADODB versions prior to 4.70 Mantis versions prior to the version that updates ADOdb to 4.70 PostNuke versions prior to the version that updates ADOdb to 4.70 Moodle versions prior to the version that updates ADOdb to 4.70 Cacti versions prior to the version that updates ADOdb to 4.70 Xaraya versions prior to the version that updates ADOdb to 4.70 PhpOpenChat versions prior to the version that updates ADOdb to 4.70 MAXdev MD-Pro versions prior to the version that updates ADOdb to 4.70 Simplog versions prior to the version that updates ADOdb to 4.70

Description A dynamic code evaluation issue exists in the tests/tmssql.php test script in ADOdb for PHP, which is used by multiple products. This issue allows remote attackers to execute arbitrary PHP functions via the do parameter. The do parameter is saved in a variable that is then executed as a function, enabling the execution of arbitrary PHP code. An example of exploitation is demonstrated using phpinfo.

Recommendations Update ADOdb to version 4.70 or later. Update Mantis to a version that includes ADOdb 4.70 or later. Update PostNuke to a version that includes ADOdb 4.70 or later. Update Moodle to a version that includes ADOdb 4.70 or later. Update Cacti to a version that includes ADOdb 4.70 or later. Update Xaraya to a version that includes ADOdb 4.70 or later. Update PhpOpenChat to a version that includes ADOdb 4.70 or later. Update MAXdev MD-Pro to a version that includes ADOdb 4.70 or later. Update Simplog to a version that includes ADOdb 4.70 or later.