Описание
Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint
Summary
Adminer v5.4.1 has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users.
Fix
Upgrade to Adminer 5.4.2.
Mitigation (if you can't upgrade): Make file adminer.version in temp directory (usually the value of upload_tmp_dir) unwritable by web server.
Details
1. Intended design of ?script=version:
The endpoint is designed to receive version data from adminer.org via browser JavaScript:
functions.jsline 102-117: Creates iframe tohttps://www.adminer.org/version/- Adminer.org sends signed version data via
postMessage - JavaScript POSTs this to
?script=version - Server stores in
/tmp/adminer.versionfor signature verification
2. The vulnerability:
The endpoint only checks $_GET["script"] == "version" - it does not validate:
- Request origin (no CSRF token check for this endpoint)
- Request source (any HTTP client can POST)
- Parameter types (
versionexpected as string, array not rejected)
3. Type confusion crash:
When POST contains version[] instead of version, PHP creates an array. When Adminer reads this file and passes to openssl_verify():
PHP 8.x throws:
PoC
Steps to Reproduce:
Step 1: Verify Adminer is running and accessible.
Expected output:
Step 2: Send the malicious POST request. The version[] syntax causes PHP to create an array instead of a string.
Expected output: Empty response (no error).
Step 3: Access Adminer again to trigger the crash.
Expected output:
Step 4: (Optional) View the PHP error in server logs.
Step 5: (Optional) Inspect the poisoned file.
Expected output:
Recovery:
After deletion, Adminer returns HTTP 200.
Impact
Type: Denial of Service
Root cause: The ?script=version endpoint is designed to receive data from adminer.org via JavaScript, but lacks server-side validation. Any HTTP client can POST directly to this endpoint. Combined with missing type validation before openssl_verify(), this allows persistent DoS.
Affected users: Any Adminer instance accessible over the network.
Пакеты
vrana/adminer
>= 4.6.2, < 5.4.2
5.4.2
Связанные уязвимости
Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users. Upgrade to Adminer 5.4.2.
Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users. Upgrade to Adminer 5.4.2.
Adminer is open-source database management software. Adminer v5.4.1 an ...