1
Candidate: CVE-2017-18264
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18264
5
https://www.phpmyadmin.net/security/PMASA-2017-8/
6
https://github.com/phpmyadmin/phpmyadmin/commit/7232271a379396ca1d4b083af051262057003c41 (4.7-branch)
7
https://github.com/phpmyadmin/phpmyadmin/commit/b6ca92cc75c8a16001425be7881e73430bcc35b8 (4.0-branch)
9
An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0
10
before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions
11
caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under
12
certain PHP versions (e.g., version 5). This can allow the login of users
13
who have no password set even if the administrator has set
14
$cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the
15
default). This occurs because some implementations of the PHP substr
16
function return false when given '' as the first argument.
26
upstream_phpmyadmin: released (4:4.6.6-2)
27
precise/esm_phpmyadmin: DNE
28
trusty_phpmyadmin: needs-triage
29
xenial_phpmyadmin: needs-triage
30
artful_phpmyadmin: not-affected (4:4.6.6-5)
31
bionic_phpmyadmin: not-affected
32
devel_phpmyadmin: not-affected