phpmyadmin on Gentoo install Script Local Password Disclosure

2005-04-30T04:51:15
ID OSVDB:16053
Type osvdb
Reporter OSVDB
Modified 2005-04-30T04:51:15

Description

Vulnerability Description

phpMyAdmin on Gentoo contains a flaw that may lead to an unauthorized password exposure. The problem is that the file "[version]_create.sql" is left world-readable with the password for the pma user after the installation process. Any unprivileged local user may read this file to obtain the password.

Solution Description

Upgrade to version 2.6.2-r1 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Change the password for the phpMyAdmin MySQL user (pma) and update your phpMyAdmin config.inc.php to reflect the new password.

Short Description

phpMyAdmin on Gentoo contains a flaw that may lead to an unauthorized password exposure. The problem is that the file "[version]_create.sql" is left world-readable with the password for the pma user after the installation process. Any unprivileged local user may read this file to obtain the password.

References:

Vendor URL: http://www.phpmyadmin.net Secunia Advisory ID:15198 Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200504-30.xml ISS X-Force ID: 20365 CVE-2005-1392