CVE-2017-18264
CRITICALphpMyAdmin <4.0.10.20, 4.4.x, 4.6.x, 4.7.0 - Auth Bypass
Title source: llmDescription
An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://www.phpmyadmin.net/security/PMASA-2017-8/
Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/07/msg00006.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97211
Scores
CVSS v3
9.8
EPSS
0.0031
EPSS Percentile
53.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (4)
debian/debian_linux
8.0
phpmyadmin/phpmyadmin
4.7.0 beta1 (2 CPE variants)
phpmyadmin/phpmyadmin
4.0 - 4.0.10.20Packagist
phpmyadmin/phpmyadmin
4.0.0 - 4.0.10.20
Published
May 01, 2018
Tracked Since
Feb 18, 2026