CVE-2021-43008: 
PHP vulnerability analysis and mitigation

Adminer versions 1.12.0 to 4.6.2 contained an Improper Access Control vulnerability (CVE-2021-43008) that allowed attackers to perform arbitrary file reads on remote servers. The vulnerability was discovered in 2021 and was fixed in version 4.6.3, released in June 2018. The vulnerability affects all installations of Adminer, a popular web-based database management tool written in PHP (NVD, Debian LTS).

The vulnerability allows an attacker to achieve Arbitrary File Read on the remote server by requesting Adminer to connect to a malicious MySQL database. The CVSS v3.1 base score is 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The exploitation involves a three-stage process where an attacker uses a modified MySQL server to send data import requests to connecting clients, locates an exposed adminer.php file, and instructs Adminer to connect to the rigged MySQL server (Sansec Research).

When successfully exploited, the vulnerability allows attackers to read sensitive files from the server, including configuration files containing database credentials. This access could lead to unauthorized database access and potential exposure of sensitive data. The vulnerability has been observed being used by different Magecart factions to inject payment skimmers on several high-profile stores, including government and multinational organizations (Sansec Research).

The vulnerability was fixed in Adminer version 4.6.3 and later versions. Organizations are recommended to upgrade to the latest version of Adminer. Additional security measures include protecting database tools with additional password authentication, implementing IP filtering, and ensuring Adminer installations are not publicly accessible. When not in use, it's recommended to remove Adminer from the server (Adminer, Sansec Research).