PMASA-2017-8
Announcement-ID: PMASA-2017-8
Date: 2017-03-28
Updated: 2018-05-01
Summary
Bypass $cfg['Servers'][$i]['AllowNoPassword']
Description
A vulnerability was discovered where the restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions. This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default).
This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not).
Severity
We consider this vulnerability to be of moderate severity.
Mitigation factor
Set a password for all users.
Affected Versions
Version 4.0 prior to 4.0.10.20 Version 4.4 (no longer supported) Version 4.6 (no longer supported) Version 4.7.0-beta1 and 4.7.0-rc1
Solution
Upgrade to phpMyAdmin 4.0.10.20, 4.7.0, or newer or apply patch listed below.
References
This weakness was discovered by phpMyAdmin team member Isaac Bennetch
Assigned CVE IDs: CVE-2017-18264
CWE IDs: CWE-661
Patches
The following commits have been made on the 4.0 branch to fix this issue:
The following commits have been made on the 4.7 branch to fix this issue:
More information
For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.