pgAdmin Restore Restriction Bypass Vulnerability via Key Disclosure

A vulnerability in pgAdmin version 9.11 allows for a restore restriction bypass through key disclosure. This issue arises when pgAdmin is running in server mode and restoring from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an ongoing restore operation, extract the `\restrict` key in real time, and interfere with the restore process. By overwriting the restore script with a payload that re-enables meta-commands using `\unrestrict <key>`, the attacker can execute commands on the pgAdmin host during the restore operation.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the pgAdmin host during a restore operation.

Reproduction

To reproduce this vulnerability, initiate a restore operation from a PLAIN-format dump file in pgAdmin 9.11 while the application is in server mode. An attacker can then monitor the process to capture the `\restrict` key and use it to overwrite the restore script, re-enabling meta-commands and executing commands on the host.

Remediation

Users can update to pgAdmin version 9.12, where this vulnerability has been addressed.