Bug 1437828 (CVE-2017-18264) - CVE-2017-18264 phpMyAdmin: Bypass $cfg['Servers'][$i]['AllowNoPassword']
Summary: CVE-2017-18264 phpMyAdmin: Bypass $cfg['Servers'][$i]['AllowNoPassword']
Status: NEW
Alias: CVE-2017-18264
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=moderate,public=20170328,repor...
Depends On: 1437829 1437830 1437831 1437832
TreeView+ depends on / blocked
Reported: 2017-03-31 09:24 UTC by Martin Prpič
Modified: 2019-08-26 14:41 UTC (History)
12 users (show)

Fixed In Version: phpMyAdmin, phpMyAdmin 4.7.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Martin Prpič 2017-03-31 09:24:42 UTC
A vulnerability was discovered where the restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions. This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default).
This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not).


Set a password for all users.

Affected versions:

Version 4.0 prior to
Version 4.4 (no longer supported)
Version 4.6 (no longer supported)
Version 4.7.0-beta1 and 4.7.0-rc1

Upstream patches:


External References:


Comment 2 Martin Prpič 2017-03-31 09:26:38 UTC
Created phpMyAdmin tracking bugs for this issue:

Affects: fedora-all [bug 1437829]
Affects: epel-all [bug 1437830]

Comment 3 Martin Prpič 2017-03-31 09:26:47 UTC
Created phpMyAdmin4 tracking bugs for this issue:

Affects: epel-5 [bug 1437831]

Note You need to log in before you can comment on or make changes to this bug.