Menu

#855 Symlink vulnerability when using adminer.version

4.8.1
closed-fixed
nobody
None
5
2025-03-16
2023-01-01
Martin Mares
No

Adminer creates a file called adminer.version in the temporary directory. First, this is a symlink traversal vulnerability: adminer.version could be a symlink planted by an attacker, leading to overwrite of an arbitrary file writable by the user running Adminer. Second, when multiple instances of Adminer run on the same machine under different UIDs, they fail with a permission denied error if the file was created by a different instance.

Discussion

  • Jakub Vrána

    Jakub Vrána - 2023-04-20

    Would deleting the file first solve both issues?

     

  • Martin Mares

    Martin Mares - 2023-04-20

    No, because between deleting the file and creating it again, another process could create its own version.

     

  • Jakub Vrána

    Jakub Vrána - 2025-03-16
    • status: open --> closed-fixed
    • private: Yes --> No
     

  • Jakub Vrána

    Jakub Vrána - 2025-03-16

    I've added an is_link check. However, the same handling is also used for invalid logins. It's more complicated there. Creating an adminer.invalid symlink by an attacker would disable invalid logins check. In that case, I create adminer.invalid plus some random suffix.

    I also delete adminer.version now. The race condition is not critical. Note that Adminer prefers upload_tmp_dir for temporary dir which could be user specific.

     

Log in to post a comment.