Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 614522

Summary: <dev-db/phpmyadmin-{,4.7.0}: Bypass $cfg['Servers'][$i]['AllowNoPassword']
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: glsamaker, jmbsvicetto, web-apps
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: B3 [glsa]
Package list:
=dev-db/phpmyadmin- =dev-db/phpmyadmin-4.7.0
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-04-02 17:24:27 UTC
From ${URL} :

A vulnerability was discovered where the restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions. This can allow the login of 
users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default).

This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not).

We consider this vulnerability to be of moderate severity.

Mitigation factor
Set a password for all users.

Affected Versions
Version 4.0 prior to Version 4.4 (no longer supported) Version 4.6 (no longer supported) Version 4.7.0-beta1 and 4.7.0-rc1

Upgrade to phpMyAdmin, 4.7.0, or newer or apply patch listed below.

This weakness was discovered by phpMyAdmin team member Isaac Bennetch

Assigned CVE ids: Not yet assigned

CWE ids: CWE-661

The following commits have been made on the 4.0 branch to fix this issue:

The following commits have been made on the 4.7 branch to fix this issue:


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2017-04-02 18:59:29 UTC

requested keywords: alpha amd64 hppa ppc ppc64 sparc x86

Please add keywords to:
Comment 2 Tobias Klausmann (RETIRED) gentoo-dev 2017-04-05 15:59:15 UTC
Stable on alpha.
Comment 3 Agostino Sarubbo gentoo-dev 2017-04-07 16:08:40 UTC
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2017-04-09 12:25:04 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2017-04-17 08:02:55 UTC
x86 stable
Comment 6 Michael Weber (RETIRED) gentoo-dev 2017-04-18 06:46:36 UTC
ppc ppc64 stable.
Comment 7 Agostino Sarubbo gentoo-dev 2017-04-27 11:26:45 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2017-04-27 11:49:48 UTC
(In reply to Agostino Sarubbo from comment #7)
> sparc stable.
> Maintainer(s), please cleanup.

Thanks to all arch teams for their work.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2017-04-28 01:09:29 UTC
Arches and Maintainer(s), Thank you for your work.
GLSA Vote: Yes

New GLSA Request filed.
Sent an Email upstream to find out about CVE ID for bug, if not will assist in assigning.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-07-08 12:33:14 UTC
This issue was resolved and addressed in
 GLSA 201707-03 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-27 14:44:58 UTC
*** Bug 635212 has been marked as a duplicate of this bug. ***