Adminer 4.6.2 file disclosure vulnerability
Description
Adminer is a lightweight database management tool distributed as a single PHP file under the Apache license. Versions 4.6.2 and earlier contain a file disclosure vulnerability that exploits a protocol-level flaw in MySQL's LOAD DATA LOCAL INFILE functionality. When an attacker controls a malicious MySQL server, they can force Adminer to read and transmit arbitrary files from the web server's filesystem during what appears to be a normal database connection. This vulnerability allows unauthorized access to sensitive files such as configuration files, source code, and credentials stored on the server.
Remediation
Immediately upgrade Adminer to version <strong>4.6.3</strong> or later, which disables support for <strong>LOAD DATA LOCAL INFILE</strong> by default and mitigates this vulnerability.<br/><br/>To upgrade:<br/>1. Download the latest version of Adminer from the official website (https://www.adminer.org/)<br/>2. Replace the existing Adminer PHP file with the new version<br/>3. Verify the version number by accessing Adminer and checking the footer or page title<br/><br/>Additional security measures:<br/>• Restrict access to Adminer using IP whitelisting, VPN, or authentication mechanisms at the web server level<br/>• Only connect Adminer to trusted MySQL servers<br/>• Consider removing Adminer from production environments entirely and use it only in secure development or staging environments<br/>• Implement file integrity monitoring to detect unauthorized access to sensitive files