#410 password_file() creates world-readable file adminer.key

Jonas Pasche

The function password_file() creates a world-readable file named adminer.key in /tmp/ (might also be some other folder, depending on server setup) that seems to contain possibly sensitive information used for session cookies. I haven't tested it, but this could possibly be used by a local user to steal other user's account data if combined with browser-based attacks to steal cookies.

Intuition says, a file with "key" in it's name should not be world-readable.

Mitigation: set the environment variable TMPDIR to point to a folder that only the user which executes the adminer php code can access -- this helps only in setups where every web application runs with different user rights, e.g. a setup with FastCGI and suExec.

Better solution: The file should not be created world-readable, but readable only to the user (and maybe the group) that runs the php code, for example apache, php or adminer, depending on webserver setup.

There is also the question, why you put this file into TMPDIR at all. Many systems run programmes like tmpwatch to remove files that linger in TMPDIR too long. Wouldn't it be better to store this file somewhere else entirely?


  • Jakub Vrána
    Jakub Vrána

    • status: open --> closed-fixed
  • Jakub Vrána
    Jakub Vrána

    I've removed the world-readable bit. Adminer tries to save this file to upload_tmp_dir which should be already properly configured to not allow reading by unwanted users. There are not many more places where you can reliably save the file.