Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 614522 - <dev-db/phpmyadmin-{,4.7.0}: Bypass $cfg['Servers'][$i]['AllowNoPassword']
Summary: <dev-db/phpmyadmin-{,4.7.0}: Bypass $cfg['Servers'][$i]['AllowNoPass...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
: CVE-2017-1000013, CVE-2017-1000014, CVE-2017-1000015, CVE-2017-1000017, CVE-2017-1000018 (view as bug list)
Depends on:
Reported: 2017-04-02 17:24 UTC by Agostino Sarubbo
Modified: 2017-10-27 14:44 UTC (History)
3 users (show)

See Also:
Package list:
=dev-db/phpmyadmin- =dev-db/phpmyadmin-4.7.0
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-04-02 17:24:27 UTC
From ${URL} :

A vulnerability was discovered where the restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions. This can allow the login of 
users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default).

This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not).

We consider this vulnerability to be of moderate severity.

Mitigation factor
Set a password for all users.

Affected Versions
Version 4.0 prior to Version 4.4 (no longer supported) Version 4.6 (no longer supported) Version 4.7.0-beta1 and 4.7.0-rc1

Upgrade to phpMyAdmin, 4.7.0, or newer or apply patch listed below.

This weakness was discovered by phpMyAdmin team member Isaac Bennetch

Assigned CVE ids: Not yet assigned

CWE ids: CWE-661

The following commits have been made on the 4.0 branch to fix this issue:

The following commits have been made on the 4.7 branch to fix this issue:


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2017-04-02 18:59:29 UTC

requested keywords: alpha amd64 hppa ppc ppc64 sparc x86

Please add keywords to:
Comment 2 Tobias Klausmann (RETIRED) gentoo-dev 2017-04-05 15:59:15 UTC
Stable on alpha.
Comment 3 Agostino Sarubbo gentoo-dev 2017-04-07 16:08:40 UTC
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2017-04-09 12:25:04 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2017-04-17 08:02:55 UTC
x86 stable
Comment 6 Michael Weber (RETIRED) gentoo-dev 2017-04-18 06:46:36 UTC
ppc ppc64 stable.
Comment 7 Agostino Sarubbo gentoo-dev 2017-04-27 11:26:45 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2017-04-27 11:49:48 UTC
(In reply to Agostino Sarubbo from comment #7)
> sparc stable.
> Maintainer(s), please cleanup.

Thanks to all arch teams for their work.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2017-04-28 01:09:29 UTC
Arches and Maintainer(s), Thank you for your work.
GLSA Vote: Yes

New GLSA Request filed.
Sent an Email upstream to find out about CVE ID for bug, if not will assist in assigning.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-07-08 12:33:14 UTC
This issue was resolved and addressed in
 GLSA 201707-03 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-27 14:44:58 UTC
*** Bug 635212 has been marked as a duplicate of this bug. ***