发布时间 :2005-05-03 00:00:00
修订时间 :2011-03-07 21:21:42

[原文]The SQL install script in phpMyAdmin 2.6.2 is created with world-readable permissions, which allows local users to obtain the initial database password by reading the script.


        phpMyAdmin 2.6.2中SQL安装脚本在创建时赋予了全域可读权限,本地用户可以通过读取此脚本来获取数据库的初始密码。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  VUPEN  ADV-2005-0436

- 漏洞信息

中危 配置错误
2005-05-03 00:00:00 2005-10-20 00:00:00
        phpMyAdmin 2.6.2中SQL安装脚本在创建时赋予了全域可读权限,本地用户可以通过读取此脚本来获取数据库的初始密码。

- 公告与补丁


- 漏洞信息

phpmyadmin on Gentoo install Script Local Password Disclosure
Local Access Required Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

phpMyAdmin on Gentoo contains a flaw that may lead to an unauthorized password exposure. The problem is that the file "[version]_create.sql" is left world-readable with the password for the pma user after the installation process. Any unprivileged local user may read this file to obtain the password.

- 时间线

2005-04-30 Unknow
2005-04-30 Unknow

- 解决方案

Upgrade to version 2.6.2-r1 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Change the password for the phpMyAdmin MySQL user (pma) and update your phpMyAdmin to reflect the new password.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PHPMyAdmin Insecure SQL Install Script Permissions Vulnerability
Configuration Error 13452
No Yes
2005-04-30 12:00:00 2009-07-12 02:06:00
This issue was announced by Gentoo.

- 受影响的程序版本

phpMyAdmin phpMyAdmin 2.6.2
+ Gentoo Linux

- 漏洞讨论

PHPMyAdmin sets insecure default permissions on the SQL install script. As a result, local attackers may gain unauthorized access to database credentials.

This issue was reported in a Gentoo advisory. It is not known if the vulnerability is limited to Gentoo installations of PHPMyAdmin.

- 漏洞利用

There is no exploit required.

- 解决方案

Gentoo has released advisory GLSA 200504-30 to provide fixes for this issue. Gentoo updates may be applied by running the following commands as the superuser:
emerge --sync
emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.6.2-r1"

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 相关参考