CVE-2017-18264

Priority
Description
An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0
before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions
caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under
certain PHP versions (e.g., version 5). This can allow the login of users
who have no password set even if the administrator has set
$cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the
default). This occurs because some implementations of the PHP substr
function return false when given '' as the first argument.
Notes
Package
Upstream:released (4:4.6.6-2)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (4:4.6.6-5)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (4:4.6.6-5)
Ubuntu 20.10 (Groovy Gorilla):not-affected (4:4.6.6-5)
More Information

Updated: 2020-07-28 18:43:51 UTC (commit 7b6828437fde0509248708fcdb5b0f7587b85bd1)