SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   phpPgAdmin Vendors:   phpPgAdmin Development Team
phpPgAdmin Database Administration Utility May Disclose Password to Local Users
SecurityTracker Alert ID:  1003306
SecurityTracker URL:  http://securitytracker.com/id/1003306
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 21 2002
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 2.4
Description:   An information disclosure vulnerability was reported in the phpPgAdmin PostgreSQL administration utility. A local user may be able to obtain the password.

It is reported that phpPgAdmin stores a username and password in plain text in a configuration file.

Impact:   A local user may be able to view the password in the configuration file.
Solution:   The vendor has released a fixed version (phpPgAdmin 2.4-beta-1), available at:

http://sourceforge.net/project/showfiles.php?group_id=37132

Vendor URL:  phppgadmin.sourceforge.net/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  phpPgAdmin


  phpPgAdmin 2.4
  by Dan Wilson (http://freshmeat.net/users/dwilson/)
  Saturday, January 19th 2002 06:36

Database :: Database Engines/Servers Database :: Front-Ends

About: Based on phpMyAdmin, phpPgAdmin is a fully functional port for
PostgreSQL. It has all the basic functionality you need to completely
administer a PosgreSQL server and/or database, including the ability to
administer views, sequences, stored procedures, and triggers. Features
include the ability to create and drop databases; create, copy, drop,
and alter tables/views/sequences/functions/triggers; edit and add fields
(to the extent Postgres allows); execute any SQL-statement, even
batch-queries; manage keys on fields; create and read dumps of database
and tables; and administer one single database, multiple servers, and
Postgres users/groups.

Changes: A major security issue with the new authorization scheme that
places all security in the hands of PostgreSQL itself was resolved.
Various bugfixes and a few minor features were added.

License: GNU General Public License (GPL)

URL: http://freshmeat.net/projects/phppgadmin/

Release Name: phpPgAdmin 2.4-beta-1

Notes: The big change for this release is the removal of the
configuration settings for the stdpass and stduser. When using adv_auth,
you no longer need to have a username and passsword stored in the
configuration file. 

http://sourceforge.net/project/showfiles.php?group_id=37132


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC