Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2017-18264

Опубликовано: 01 мая 2018
Источник: debian
EPSS Низкий

Описание

An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
phpmyadminfixed4:4.6.6-2package

Примечания

  • https://www.phpmyadmin.net/security/PMASA-2017-8/

  • https://github.com/phpmyadmin/phpmyadmin/commit/7232271a379396ca1d4b083af051262057003c41 (4.7-branch)

  • https://github.com/phpmyadmin/phpmyadmin/commit/b6ca92cc75c8a16001425be7881e73430bcc35b8 (4.0-branch)

  • If the issue is triggerable depends as well on the used PHP version.

EPSS

Процентиль: 54%
0.0032
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2017-18264

CVSS3: 9.8
ubuntu
больше 7 лет назад

An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument.

nvd логотип

CVE-2017-18264

CVSS3: 9.8
nvd
больше 7 лет назад

An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument.

github логотип

GHSA-5868-g58j-vrj5

CVSS3: 9.8
github
около 3 лет назад

phpMyAdmin Improper Privilege Management

EPSS

Процентиль: 54%
0.0032
Низкий