Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 531
Alerts This Week
Warning Icon 1 531

Gentoo: GLSA-201707-03 High: phpMyAdmin Authentication Bypass

gentoo
Calendar Grey July 8, 2017
Scroller Gentoo Esm H88
A flaw in phpMyAdmin permits remote intruders to circumvent login procedures on Gentoo systems, presenting serious dangers.
A vulnerability in phpMyAdmin might allow remote attackers to bypass authentication.

Summary

A vulnerability was discovered where the restrictions caused by "$cfg['Servers'][$i]['AllowNoPassword'] = false" are bypassed under certain PHP versions. This can lead compromised user accounts, who have no passwords set, even if the administrator has set "$cfg['Servers'][$i]['AllowNoPassword']" to false (which is the default). This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not).

Resolution

All phpMyAdmin 4.0.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=dev-db/phpmyadmin-4.0.10.20:4.0.10.20"
All other phpMyAdmin users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-4.7.0:4.7.0"

References

[ 1 ] PMASA-2017-8 https://www.phpmyadmin.net/security/PMASA-2017-8/

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201707-03
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: phpMyAdmin: Security bypass
Date: July 08, 2017
Bugs: #614522
ID: 201707-03

Synopsis

A vulnerability in phpMyAdmin might allow remote attackers to bypass authentication.

Background

phpMyAdmin is a web-based management tool for MySQL databases.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-db/phpmyadmin < 4.0.10.20 >= 4.0.10.20 < 4.7.0 >= 4.7.0

Impact

===== A remote attacker, who only needs to know the username, could bypass security restrictions and access phpMyAdmin.

Workaround

Set a password for all users.