Foregenix are warning all their partners this morning about a vulnerability discovered in the popular
database administration tool Adminer, affecting versions up to and including v4.6.2. The vulnerability
was discovered by security researchers Yashar Shahinzadeh and more recently Willem de Groot,
who publicised the potential impact to eCommerce sites using the software.
Adminer is a PHP administration tool which users can host on their web sites to enable them to remotely
administer MySQL databases. Unfortunately, many web sites leave Adminer publicly accessible,
meaning attackers can attempt to log into victim’s database’s using this tool. However, connection to a
database does (normally) require knowledge of the database username and password.
Unfortunately, this vulnerability exposes a method of potentially obtaining database credentials if they
are stored in configuration files on the server, as they are with several popular eCommerce platforms
such as Magento.
How Does It Work?
First, the attacker will access the victim’s Adminer instance, but instead of trying to connect to the
victim’s MySQL database, they connect “back” to their own MySQL database hosted on their own server.
Second, using the victim’s Adminer (connected to their own database) – they use the MySQL command
‘LOAD DATA LOCAL’, specifying a local file on the victim’s server. This command is used to load data
from a file local to the Adminer instance, into a database. This is relevant to the attack because
eCommerce site such as Magento often store database credentials in plain text in configuration files in
the web site file system; in the case of Magento, these details are stored in an XML file at
app/etc/local.xml within the websites’ root directory. Using this command, the specified file is read by
Adminer and then sent to be stored in the victim’s database.
Third – The attacker, using the victim’s Adminer, disconnects from his own database and connects to the
victim’s database using the credentials they have just obtained. With access to the database they could
read sensitive information, such as customer details. However, they could also write to the database –
including potentially malicious JavaScript could be written into database fields which the eCommerce
application would later use to dynamically render pages on the site.
For example, a Magento administrator can add custom code into the header and footer areas of their
pages and this custom code is stored in the MySQL database that Magento uses. A JavaScript card
harvesting script could be easily be added into these database fields using this method, which would
then run on a customer’s browser when they load the victim’s site. Such a script (which Foregenix
regularly sees during the forensic investigations we perform) could ‘steal’ payment card information as
the customer was entering it onto the victim’s payment form and transmit that card information to the
attacker.
Depending on the file permissions set up on the web server, it could be possible for attackers to steal
other files using this method, such as system passwords stored in the /etc/passwd file on the root of the
server.
What Can I Do?
The first way to protect yourself against this specific vulnerability is to upgrade Adminer to the latest
version (4.7.0), although versions 4.6.3 and above have addressed this vulnerability.
Adminer (or similar PHP administration tools) should never be publicly accessible. Web servers should
be configured to only allow access to these applications from known and trusted IP addresses. Often
these tools are installed when sites are setup but are not frequently used - if they are not required, they
should be removed entirely. Access can be restricted through the use of .htaccess files of similar,
depending on the web server being used.
Also, Foregenix have a range of solutions which can help detect malicious code on websites, including FGX-Web. If you believe you have been a victim of this attack, contact Foregenix today to discuss our Incident Response solutions.