A vulnerability was discovered where the restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions. This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not). Mitigation: Set a password for all users. Affected versions: Version 4.0 prior to 4.0.10.20 Version 4.4 (no longer supported) Version 4.6 (no longer supported) Version 4.7.0-beta1 and 4.7.0-rc1 Upstream patches: https://github.com/phpmyadmin/phpmyadmin https://github.com/phpmyadmin/phpmyadmin/commit/b6ca92cc75c8a16001425be7881e73430bcc35b8 https://github.com/phpmyadmin/phpmyadmin/commit/7232271a379396ca1d4b083af051262057003c41 External References: https://www.phpmyadmin.net/security/PMASA-2017-8/
Created phpMyAdmin tracking bugs for this issue: Affects: fedora-all [bug 1437829] Affects: epel-all [bug 1437830]
Created phpMyAdmin4 tracking bugs for this issue: Affects: epel-5 [bug 1437831]