[SOLVED] Vulnerability caused by old version of Adminer

[ottogal]

Hello to this tremendous community!

The hoster of one of my ProcessWire websites is warning me about a critical vulnerability caused by the Adminer module:

Quote

We have found an outdated version of the database management tool Adminer (https://www.adminer.org/) in your account.
A security vulnerability in this tool could allow attackers to gain full access to your web space (FTP).
(see https://github.com/advisories/GHSA-2v82-5746-vwqc)

So I've got some questions:

(1)
My installed version of TracyDebugger is v 4.19.33. (I didn't use it much, so never considered an update.)
Would it be sufficient to update it to v 4.25.22 to fix the problem?
Or would I need a seperate update of the Adminer module?

(2)
I also thought of just uninstalling the module ProcessTracyAdminer.
When trying this in the Admin, I'm told to manually delete the respective files and directories.
Presumably I'd want to delete the file ProcessTracyAdminer.module.php
and, in the panel\ subdirectory, the file AdminerPanel.php and the subdirectory Adminer\.
Am I right - or is there more to it?

Any insight is much appreciated!
ottogal

 

[adrian]

Tracy has included the updated version of Adminer since it was released almost 3 years ago now, so just update to the latest version and you'll be fine.

 

[ottogal]

Thank you for the quick reply!
I'm planning to get more into the details of the great Tracy module...

[ottogal]

FYI:
Just updating the TracyDebugger module did not affect the files and directories in the panel/ subdirectory.
I had to delete Tracy and reinstall it to get that solved.
(Perhaps because of the PHP version being very old, too:  5.6 )

[Tiberium]

On 3/23/2024 at 3:27 PM, adrian said:

Tracy has included the updated version of Adminer since it was released almost 3 years ago now

Any plans to switch to the maintained fork: https://github.com/adminerevo/adminerevo ?

[adrian]

7 hours ago, ottogal said:

Just updating the TracyDebugger module did not affect the files and directories in the panel/ subdirectory

Hi @ottogal - not sure why that would happen. How did you update Tracy? I suppose you can't really tell anymore, but I wonder if the permissions for that folder were somehow preventing it from being writable by PHP. Anyway, updating is not something individual PW modules have any control over so certainly not an issue with Tracy per se. I shouldn't be related to the PHP version, but you do really need to get that updated - it was EOL'd 5 years ago so you've had no security updates in that time - I would think your host should be more worried about that than an old version of Adminer that was restricted to superuser access anyway - all module files in PW are restricted by htaccess.

2 hours ago, Denis Schultz said:

Any plans to switch to the maintained fork: https://github.com/adminerevo/adminerevo ?

Thanks for the heads up @Denis Schultz - I hadn't seen that, but I'll definitely take a look and see what it would take to switch.

[adrian]

@Denis Schultz - new version of Tracy now uses AdminerEvo.

Thanks again for letting me know about this new fork. Hopefully it has a long life.

I had to tweak a few things so if anyone see any issues (should be mostly cosmetic hopefully), please let me know.

[ottogal]

On 3/25/2024 at 3:01 PM, adrian said:

Hi @ottogal - not sure why that would happen. How did you update Tracy? I suppose you can't really tell anymore, but I wonder if the permissions for that folder were somehow preventing it from being writable by PHP.

I used the Update option in Tracy's Module Information from the Admin (and used the Delete button in the module's Settings afterwards).
In site/config.php I had the permissions set to $config->chmodDir = '0755'; and $config->chmodFile = '0644';
Maybe this '0644' prevented the update of the file adminer-4.8.1-mysql.php and others.

Quote

It shouldn't be related to the PHP version, but you do really need to get that updated - it was EOL'd 5 years ago

In fact the actual version was 7.2, I didn't recall having upgraded one day. (It's indeed a years old site not touched often later.) But sure, I should update anew.

Many thanks for your considerations, @adrian!
ottogal

[adrian]

@ottogal - I really don't know - it's not likely an issue with the perms set in config.php, but perhaps the module folders themselves. It might even be the "owner" being off, rather than the permissions, especially if you FTP'd things across initially. Anyway sounds like you have it sorted for now, so let's not worry too much about it.