Adminer 4.6.2 file disclosure vulnerability
Description
Adminer is a lightweight database management tool distributed as a single PHP file under the Apache license. Versions 4.6.2 and earlier contain a file disclosure vulnerability that exploits a protocol-level flaw in MySQL's LOAD DATA LOCAL INFILE functionality. When an attacker controls a malicious MySQL server, they can force Adminer to read and transmit arbitrary files from the web server's filesystem during what appears to be a normal database connection. This vulnerability allows unauthorized access to sensitive files such as configuration files, source code, and credentials stored on the server.
Remediation
Immediately upgrade Adminer to version 4.6.3 or later, which disables support for LOAD DATA LOCAL INFILE by default and mitigates this vulnerability.
To upgrade:
1. Download the latest version of Adminer from the official website (https://www.adminer.org/)
2. Replace the existing Adminer PHP file with the new version
3. Verify the version number by accessing Adminer and checking the footer or page title
Additional security measures:
• Restrict access to Adminer using IP whitelisting, VPN, or authentication mechanisms at the web server level
• Only connect Adminer to trusted MySQL servers
• Consider removing Adminer from production environments entirely and use it only in secure development or staging environments
• Implement file integrity monitoring to detect unauthorized access to sensitive files