|
Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200504-30] phpMyAdmin: Insecure SQL script installation Vulnerability Scan
Vulnerability Scan Summary phpMyAdmin: Insecure SQL script installation
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200504-30
(phpMyAdmin: Insecure SQL script installation)
The phpMyAdmin installation process leaves the SQL install script with
insecure permissions.
Impact
A local attacker could exploit this vulnerability to obtain the initial
phpMyAdmin password and from there obtain information about databases
accessible by phpMyAdmin.
Workaround
Change the password for the phpMyAdmin MySQL user (pma):
mysql -u root -p
SET PASSWORD FOR 'pma'@'localhost' = PASSWORD('MyNewPassword')
Update your phpMyAdmin config.inc.php:
$cfg['Servers'][$i]['controlpass'] = 'MyNewPassword'
Solution:
All phpMyAdmin users should change password for the pma user as
described above and upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.6.2-r1"
Threat Level: Medium
Click HERE for more information and discussions on this network vulnerability scan.
|