Hi Chris, On Wed, Mar 21, 2018 at 02:44:29AM +0000, Chris Lamb wrote: > Package: adminer > Version: 4.2.5-3 > X-Debbugs-CC: t...@security.debian.org > Severity: grave > Tags: security > > Hi, > > the following vulnerability was published for adminer. > > CVE-2018-7667[0]: > | Adminer through 4.3.1 has SSRF via the server parameter.
I think there litte which upstream could do in addition to what was done in 4.4.0 upstream do mitigate the issue, or am I missing something? 4.4.0 did: > Adminer 4.4.0 (released 2018-01-17): > [...] > Rate limit password-less login attempts from the same IP address > Disallow connecting to privileged ports > [...] One thing which additionally maybe could be done is to restrict which server/ports can be reached from the adminer interface from the configuration file, doing like introducing a server configurations array and so only those and specifically can be connected to. Regards, Salvatore
