db.php Adminer vulnerable version

[ir0nb1t]

Describe We configure a monitor of Sucuri to protect our website, and when we scan for malware it detect tha the file db.php is potentialy risk of hacker file.

I investigate about this and I found that Adminer has a vulnerability report in NIST CVE-2021-21311 (https://nvd.nist.gov/vuln/detail/CVE-2021-21311) that affect all version from 4.0.0 to before 4.7.9

I think my site was hacked and some one modify the db.php but then I see other 2 Chamilo instalations and the same file with the same version is present. I also donwload a new installation files and to verify and I verify that the file is there so it comes with the installation files.

File is in the folder /main/admin/

And it show that version of Adminer is 4.7.7

To Reproduce Steps to reproduce the behavior:

1. Go to folder '/main/admin/.'
2. Open file 'db.php'
3. Scroll down to 'line 2 Adminer and line 8 @version 4.7.7'
4. See error (vulnerable version of Adminer)

Expected behavior A clear and concise description of what you expected to happen.

Chamilo has a vulnerable php file

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

**Server

Additional context Add any other context about the problem here.

[ywarnier]

Hi @ir0nb1t The adminer version present is modified to make sure that:

• the settin db_manager_enabled is set to true in app/config/configuration.php
• there is currently an open Chamilo admin connection

Otherwise, it doesn't allow further execution, which means that sadly vulnerability scanners will detect it as a vulnerable version, but it shouldn't be vulnerable at all.

However, Chamilo itself has had 3 critical vulnerabilities in 2023, and this would be my first guess as to why your portal was hacked. Then maybe they found db.php and used it (once connected as admin through their hack). Please make sure you use Chamilo 1.11.26 or a later Git version.

[ir0nb1t]

Hi @ywarnier

Sorry I'm not clear, if db_manager_enabled is set FALSE so it doesn´t allow futher execution (chamilo can work with no issue if it's on false). and It only allow connections if it's set on TRUE (but it could let the site exposed to the vulnerable version?).

[ywarnier]

Be it false or true, the setting had probably nothing to do with your site being vulnerable. It was vulnerable anyway because of the 3 critical vulnerabilities I mentioned, which could still be present in your version if you don't use version 1.11.26 today.

The vulnerabilities could have let someone modify db.php later. It is unlikely that the vulnerability was caused by db.php itself.

[ir0nb1t]

I just donwload the latest install form website v1.11.26, and see that db.php has the adminier version 4.7.7. I installed a new and clean Chamilo 1.11.26 run the scanner and it report that file db.php it seems vulnerable for the version of Adminer.

also I understand that maybe this file is not let a door open to some one hack the site but as it has a vulnerable version, security team is worry about this.

So my question is did I have to set db_manager_enabled False or True to improve security and request to accept the risk until Adminer version been updated. (or it can be a false positive?)

[ir0nb1t]

Any one there ?

we have to configure db_manager_enabled as FALSE to prevent someone connect with this db.php???

is in roadmap update adminer version?

To clarify our site WAS NOT hack the report is a result of an malware scan. Even in a fresh insallation of the latest version.

Regards,

[NicoDucou]

Hi @ir0nb1t

You have to set the ocnfiguration to false which is the default configuration : $_configuration['db_manager_enabled'] = false;

Best regards