Debian mnoGoSearch-Common Local Database Administrator Password Disclosure Vulnerability

Bugtraq ID:	17477
Class:	Design Error
CVE:
Remote:	No
Local:	Yes
Published:	Apr 11 2006 12:00AM
Updated:	Apr 12 2006 09:27PM
Credit:	Andrew Pam <[email protected]> reported this issue to the vendor.
Vulnerable:	Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1
Not Vulnerable:

Debian mnoGoSearch-Common Local Database Administrator Password Disclosure Vulnerability

Debian GNU/Linux is susceptible to a local information-disclosure vulnerability. This issue is due to the 'debconf' package improperly storing sensitive information in world-readable files.

This issue allows local users to gain access to the database administrator password to the 'mnogosearch-common' package. Information gained through exploiting this issue may aid malicious users in further attacks.

Debian mnoGoSearch-Common Local Database Administrator Password Disclosure Vulnerability

An exploit is not required.

Debian mnoGoSearch-Common Local Database Administrator Password Disclosure Vulnerability

Solution:

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]:[email protected]

Debian mnoGoSearch-Common Local Database Administrator Password Disclosure Vulnerability

References:

• Debian Bug report logs - #361775 (Debian)
  
• Debian Homepage (Debian)