#186 security concerns, adminer passing urls through adminer.org

3.3.3
closed-fixed
Common (150)
5
2013-01-11
2011-08-16
Anonymous
No

Hi,
I like adminer a lot but I noticed something that's really not ok. When I have http links in the table adminer makes them "clickable" and if click them in the adminer "select" view, it passes the url through adminer.org.

http://www.adminer.org/redirect/?url=http://www.bild.de <-- e.g. will redirect you to bild.de.

I don't see a technical requirement in here nor an improvement.

The problem here is that you know all links clicked within adminer and you also know where the links came from. That's really not acceptable.

The source says it's to hide the referer. Well, at least adminer.org knows them now.

I suggest to not make links clickable by default and simply let the user decide. Adminer has a plugin system so that's the way to go. For now adminer.org is just some random host which personally don't trust. The host; not the project.

Discussion

  • langpavel

    langpavel - 2011-10-27

    Hi. Jakub Vrána is evil :-)

    change line 348 in select.inc.php from github:

    if ($protocol = is_url($row[$key])) {
    $link = ($protocol == "http" && $HTTPS
    ? $row[$key] // HTTP links from HTTPS pages don't receive Referer automatically
    : "$protocol://www.adminer.org/redirect/?url=" . urlencode($row[$key]) // intermediate page to hide Referer, may be changed to rel="noreferrer" in HTML5
    );
    }

    This is only one line of code what do this evil redirect.
    By the way - Jakub should published list of all redirects from adminer users (should be statistical integer ;-) )

     
  • Jakub Vrána

    Jakub Vrána - 2011-10-28

    The reason for this is to avoid leaking the Adminer installations URLs to random hosts linked from the user data (through the Referer header).

    The best way to avoid this is to run Adminer under HTTPS where the Referer is not set so no redirection is performed.

    However, I will make it pluginable.

     
  • Jakub Vrána

    Jakub Vrána - 2011-10-28
    • status: open --> open-accepted
     
  • Jakub Vrána

    Jakub Vrána - 2013-01-11

    Thank you for the report, I've fixed it in Git. You can download the "Current development version" from http://www.adminer.org/#download

     
  • Jakub Vrána

    Jakub Vrána - 2013-01-11
    • status: open-accepted --> closed-fixed
     

Log in to post a comment.