phpmyadmin on Gentoo install Script Local Password Disclosure
Local Access Required
Loss of Confidentiality
phpMyAdmin on Gentoo contains a flaw that may lead to an unauthorized password exposure. The problem is that the file "[version]_create.sql" is left world-readable with the password for the pma user after the installation process. Any unprivileged local user may read this file to obtain the password.
Upgrade to version 2.6.2-r1 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Change the password for the phpMyAdmin MySQL user (pma) and update your phpMyAdmin config.inc.php to reflect the new password.
PHPMyAdmin sets insecure default permissions on the SQL install script. As a result, local attackers may gain unauthorized access to database credentials.
This issue was reported in a Gentoo advisory. It is not known if the vulnerability is limited to Gentoo installations of PHPMyAdmin.
There is no exploit required.
Gentoo has released advisory GLSA 200504-30 to provide fixes for this issue. Gentoo updates may be applied by running the following commands as the superuser:
emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.6.2-r1"
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.