Executive Summary

Summary
Title phpMyAdmin: Security bypass
Informations
Name GLSA-201707-03 First vendor Publication 2017-07-08
Vendor Gentoo Last vendor Modification 2017-07-08
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

A vulnerability in phpMyAdmin might allow remote attackers to bypass authentication.

Background

phpMyAdmin is a web-based management tool for MySQL databases.

Description

A vulnerability was discovered where the restrictions caused by
"$cfg['Servers'][$i]['AllowNoPassword'] = false" are bypassed under certain PHP versions. This can lead compromised user accounts, who have no passwords set, even if the administrator has set
"$cfg['Servers'][$i]['AllowNoPassword']" to false (which is the default).

This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not).

Impact

A remote attacker, who only needs to know the username, could bypass security restrictions and access phpMyAdmin.

Workaround

Set a password for all users.

Resolution

All phpMyAdmin 4.0.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-db/phpmyadmin-4.0.10.20:4.0.10.20"

All other phpMyAdmin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-4.7.0:4.7.0"

References

[ 1 ] PMASA-2017-8
https://www.phpmyadmin.net/security/PMASA-2017-8/

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

https://security.gentoo.org/glsa/201707-03

Original Source

Url : http://security.gentoo.org/glsa/glsa-201707-03.xml

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2017-07-11 13:24:30
  • Multiple Updates
2017-07-08 17:22:51
  • First insertion