Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 614522

Summary: <dev-db/phpmyadmin-{4.0.10.20,4.7.0}: Bypass $cfg['Servers'][$i]['AllowNoPassword']
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: glsamaker, jmbsvicetto, web-apps
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.phpmyadmin.net/security/PMASA-2017-8/
See Also: https://bugs.gentoo.org/show_bug.cgi?id=606824
Whiteboard: B3 [glsa]
Package list:
=dev-db/phpmyadmin-4.0.10.20 =dev-db/phpmyadmin-4.7.0
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-04-02 17:24:27 UTC
From ${URL} :

Description
A vulnerability was discovered where the restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions. This can allow the login of 
users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default).

This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not).

Severity
We consider this vulnerability to be of moderate severity.

Mitigation factor
Set a password for all users.

Affected Versions
Version 4.0 prior to 4.0.10.20 Version 4.4 (no longer supported) Version 4.6 (no longer supported) Version 4.7.0-beta1 and 4.7.0-rc1

Solution
Upgrade to phpMyAdmin 4.0.10.20, 4.7.0, or newer or apply patch listed below.

References
This weakness was discovered by phpMyAdmin team member Isaac Bennetch

Assigned CVE ids: Not yet assigned

CWE ids: CWE-661

Patches
The following commits have been made on the 4.0 branch to fix this issue:

b6ca92cc75c8a16001425be7881e73430bcc35b8
The following commits have been made on the 4.7 branch to fix this issue:

7232271a379396ca1d4b083af051262057003c41



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2017-04-02 18:59:29 UTC
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8fb4492ee897c4e02d9f5e1928f3176d99530e68

requested keywords: alpha amd64 hppa ppc ppc64 sparc x86

Please add keywords to:
=dev-db/phpmyadmin-4.0.10.20
=dev-db/phpmyadmin-4.7.0
Comment 2 Tobias Klausmann (RETIRED) gentoo-dev 2017-04-05 15:59:15 UTC
Stable on alpha.
Comment 3 Agostino Sarubbo gentoo-dev 2017-04-07 16:08:40 UTC
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2017-04-09 12:25:04 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2017-04-17 08:02:55 UTC
x86 stable
Comment 6 Michael Weber (RETIRED) gentoo-dev 2017-04-18 06:46:36 UTC
ppc ppc64 stable.
Comment 7 Agostino Sarubbo gentoo-dev 2017-04-27 11:26:45 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2017-04-27 11:49:48 UTC
(In reply to Agostino Sarubbo from comment #7)
> sparc stable.
> 
> Maintainer(s), please cleanup.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f92854492b08d4acf4a1e12cb9087599974406b9

Done.
Thanks to all arch teams for their work.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2017-04-28 01:09:29 UTC
Arches and Maintainer(s), Thank you for your work.
GLSA Vote: Yes

New GLSA Request filed.
Sent an Email upstream to find out about CVE ID for bug, if not will assist in assigning.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-07-08 12:33:14 UTC
This issue was resolved and addressed in
 GLSA 201707-03 at https://security.gentoo.org/glsa/201707-03
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-27 14:44:58 UTC
*** Bug 635212 has been marked as a duplicate of this bug. ***