95571 – dev-db/xmysqladmin: Insecure Temporary File Creation

Bug 95571 - dev-db/xmysqladmin: Insecure Temporary File Creation

Summary: dev-db/xmysqladmin: Insecure Temporary File Creation

Status:	RESOLVED DUPLICATE of bug 93792

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Other

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/15635/
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-06-09 08:53 UTC by Jean-François Brunette (RETIRED)
Modified:	2005-06-09 09:37 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-06-09 08:53:08 UTC

Description:
Eric Romang has reported a vulnerability in xMySQLadmin, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges.

The vulnerability is caused due to temporary files being created insecurely when dropping a database. This can be exploited via symlink attacks to delete arbitrary files with the privileges of the xMySQLadmin user or disclose the contents of the database.

The vulnerability has been reported in version 1.0 and prior. Other versions may also be affected.

Solution:
Grant only trusted users access to affected systems.

Original Advisory:
http://www.zataz.net/adviso/xmysqladmin-05292005.txt

Comment 1 Tavis Ormandy (RETIRED) gentoo-dev

2005-06-09 09:37:37 UTC


*** This bug has been marked as a duplicate of 93792 ***