CVE-2023-45197
📋 TL;DR
This vulnerability allows attackers to upload malicious files to the root directory of Adminer/AdminerEvo installations using a directory traversal technique with '..' as the table name. Once uploaded, attackers can execute these files, potentially leading to remote code execution. This affects all Adminer installations and AdminerEvo versions before 4.8.3.
💻 Affected Systems
- Adminer
- AdminerEvo
📦 What is this software?
Adminerevo by Adminerevo
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through remote code execution, allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Webshell deployment leading to data exfiltration, privilege escalation, or lateral movement within the affected environment.
If Mitigated
File upload blocked or contained, preventing execution and limiting impact to failed upload attempts.
🎯 Exploit Status
Exploitation requires guessing uploaded filename, but predictable naming makes this trivial. No authentication needed for file upload functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: AdminerEvo 4.8.3
Vendor Advisory: https://github.com/adminerevo/adminerevo/releases/tag/v4.8.3
Restart Required: No
Instructions:
1. Upgrade AdminerEvo to version 4.8.3 or later. 2. For Adminer, migrate to AdminerEvo or remove Adminer entirely. 3. Apply patch from commit 1cc06d6a1005fd833fa009701badd5641627a1d4 if custom patching needed.
🔧 Temporary Workarounds
Disable file upload functionality
allRemove or disable the file upload plugin in Adminer/AdminerEvo configuration
Edit Adminer configuration to remove file upload plugin references or disable upload features
Restrict file upload directory permissions
linuxSet upload directory to read-only or outside web root
chmod 444 /path/to/adminer/upload/directory
Configure upload directory outside document root
🧯 If You Can't Patch
- Remove Adminer/AdminerEvo entirely from production systems
- Implement strict network access controls to block all traffic to Adminer instances
🔍 How to Verify
Check if Vulnerable:
Check if Adminer/AdminerEvo is installed and version is below 4.8.3 for AdminerEvo, or any version for AdminerCheck Version:
Check AdminerEvo version in interface or configuration files; for Adminer, check installation filesVerify Fix Applied:
Verify AdminerEvo version is 4.8.3 or higher, or that Adminer has been removed📡 Detection & Monitoring
Log Indicators:
- File upload attempts with '..' in table name parameter
- Unexpected file creation in Adminer directory
- Webshell execution patterns
Network Indicators:
- HTTP POST requests to Adminer file upload endpoints
- Unusual outbound connections from Adminer server
SIEM Query:
source="adminer_access.log" AND (uri_path="/adminer/file-upload" OR param="..")