Adminer: Insecure by default

Developers
Chris N
2013-12-07
2014-02-04
  • Chris N
    Chris N
    2013-12-07

    Adminer is so refreshing after using phpMyAdmin, which seems to get slower and more bloated with every release. I was very impressed and plan to use Adminer and donate.

    However, after a few minutes of testing it out I noticed it had external dependencies - it even injects remote javascript! I then went back to your website and looked around to see if this is mentioned anywhere, or a simple way to just include the files yourself locally... nope. Maybe a plugin... nope. But I did see you mention that Adminer is more secure than phpMyAdmin! Excuse me, but aside from a version check, I don't see phpMyAdmin loading untrusted third-party javascript onto a page with potentially sensitive information.

    I find this all terribly misleading. The whole "Database management in a single php file" is kinda a gimmick, and really isn't a virtue. What's the harm in including all dependencies in the download? Is one file so much better than three files and a folder?

    +-adminer.php
    +-includes/
    | +-all_javascript.js
    | +-all_css.css

    I know the script can be altered to solve this problem and include the files locally, but the point is you are falsely promoting this as a secure drop-in solution with no mention of this security vulnerability. How many people might use this in a business environment and with a database with sensitive information? If your adminer.org server is hacked to serve malicious javascript, game over. Any data then displayed via Adminer is there for the taking.

    I hope you choose to take a more secure by default approach in the future with zero external dependencies.

     
  • Jakub Vrána
    Jakub Vrána
    2013-12-20

    Thank you for the report. Git version of Adminer now includes the syntax highlighter locally. Version checker now uses iframe instead of script. So no external JavaScript is executed anymore.

     
  • Chris N
    Chris N
    2014-02-04

    Thank you for promptly addressing this issue.