WordPress.org

Ready to get started?Download WordPress

Forums

Adminer
Useful but extremely dangerous (6 posts)

2 stars
  1. annoyingmouse
    Member
    Posted 1 year ago #

    The tool is very useful, but extremely dangerous! Even when disabled in /wp-admin/plugins.php, the PHP files can still be accessed directly. They require no authentication whatsoever but offer full access to the database.

    The only limit i found, is that you have to guess the database name and prefix, which is not so hard in most cases.

    I've disclosed all details to the author, but got no reply at all.

    @Author: please fix this

  2. Frank
    Member
    Plugin Author

    Posted 1 year ago #

    Yes, the plugin is also usable for non-WP sites.
    Maybe I include a blocker for non access via WP.

  3. annoyingmouse
    Member
    Posted 1 year ago #

    Hi Frank,

    Good that the plugin can also be used for non-WP. But the reason that this plugin is so much less secure than the vanilla, is that it reads the database connection information automatically.

    So where a bad guy would have to guess the password as well when using adminer, the adminer-wordpress-plugin does not have this protection.

    If the adminer-wp-plugin uses wordpress-specific convenience features to allow access to the database, I think it should also use wordpress-specific protection.

  4. jakubvrana
    Member
    Posted 1 year ago #

    Frank, can you move the is_admin() check to login() in loader.php?

  5. Frank
    Member
    Plugin Author

    Posted 1 year ago #

    Yes, it is possible. The WP-functions is usable on this part.
    I will do this in the next update, maybe today. Sorry - I have so much topics in the last time.

  6. Frank
    Member
    Plugin Author

    Posted 1 year ago #

    @jakubvrana is_admin() is not so easy usable, only via load from admin.php and I think a better check is for the rights of user, via current_user_can(). In the new version I have inlcude this check to use only if the user is logged in and have enough capability to use your great tool Adminer.

    @annoyingmouse: I have include a check for the capability, that check also if the user logged in and dont allow to load the loader without WP. Thanks for important hint!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.