phpMyAdmin: Security bypass — GLSA 201707-03

A vulnerability in phpMyAdmin might allow remote attackers to bypass authentication.

Affected packages

dev-db/phpmyadmin on all architectures
Affected versions < 4.0.10.20
< 4.7.0
Unaffected versions >= 4.0.10.20
>= 4.7.0

Background

phpMyAdmin is a web-based management tool for MySQL databases.

Description

A vulnerability was discovered where the restrictions caused by “$cfg[‘Servers’][$i][‘AllowNoPassword’] = false” are bypassed under certain PHP versions. This can lead compromised user accounts, who have no passwords set, even if the administrator has set “$cfg[‘Servers’][$i][‘AllowNoPassword’]” to false (which is the default).

This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not).

Impact

A remote attacker, who only needs to know the username, could bypass security restrictions and access phpMyAdmin.

Workaround

Set a password for all users.

Resolution

All phpMyAdmin 4.0.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=dev-db/phpmyadmin-4.0.10.20:4.0.10.20"
 

All other phpMyAdmin users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-4.7.0:4.7.0"
 

References

Release date
July 08, 2017

Latest revision
August 06, 2017: 2

Severity
normal

Exploitable
remote

Bugzilla entries