CVE-2005-1392
CVSS4.6
发布时间 :2005-05-03 00:00:00
修订时间 :2011-03-07 21:21:42
NMCOS    

[原文]The SQL install script in phpMyAdmin 2.6.2 is created with world-readable permissions, which allows local users to obtain the initial database password by reading the script.


[CNNVD]PHPMyAdmin不安全SQL安装脚本许可漏洞(CNNVD-200505-833)

        phpMyAdmin 2.6.2中SQL安装脚本在创建时赋予了全域可读权限,本地用户可以通过读取此脚本来获取数据库的初始密码。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1392
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1392
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-833
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2005/0436
(UNKNOWN)  VUPEN  ADV-2005-0436
http://www.osvdb.org/16053
(UNKNOWN)  OSVDB  16053
http://security.gentoo.org/glsa/glsa-200504-30.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200504-30

- 漏洞信息

PHPMyAdmin不安全SQL安装脚本许可漏洞
中危 配置错误
2005-05-03 00:00:00 2005-10-20 00:00:00
本地  
        phpMyAdmin 2.6.2中SQL安装脚本在创建时赋予了全域可读权限,本地用户可以通过读取此脚本来获取数据库的初始密码。

- 公告与补丁

        暂无数据

- 漏洞信息

16053
phpmyadmin on Gentoo install Script Local Password Disclosure
Local Access Required Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

phpMyAdmin on Gentoo contains a flaw that may lead to an unauthorized password exposure. The problem is that the file "[version]_create.sql" is left world-readable with the password for the pma user after the installation process. Any unprivileged local user may read this file to obtain the password.

- 时间线

2005-04-30 Unknow
2005-04-30 Unknow

- 解决方案

Upgrade to version 2.6.2-r1 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Change the password for the phpMyAdmin MySQL user (pma) and update your phpMyAdmin config.inc.php to reflect the new password.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PHPMyAdmin Insecure SQL Install Script Permissions Vulnerability
Configuration Error 13452
No Yes
2005-04-30 12:00:00 2009-07-12 02:06:00
This issue was announced by Gentoo.

- 受影响的程序版本

phpMyAdmin phpMyAdmin 2.6.2
+ Gentoo Linux

- 漏洞讨论

PHPMyAdmin sets insecure default permissions on the SQL install script. As a result, local attackers may gain unauthorized access to database credentials.

This issue was reported in a Gentoo advisory. It is not known if the vulnerability is limited to Gentoo installations of PHPMyAdmin.

- 漏洞利用

There is no exploit required.

- 解决方案

Gentoo has released advisory GLSA 200504-30 to provide fixes for this issue. Gentoo updates may be applied by running the following commands as the superuser:
emerge --sync
emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.6.2-r1"

---
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站