- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201707-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: phpMyAdmin: Security bypass Date: July 08, 2017 Bugs: #614522 ID: 201707-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability in phpMyAdmin might allow remote attackers to bypass authentication. Background ========== phpMyAdmin is a web-based management tool for MySQL databases. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-db/phpmyadmin < 4.0.10.20 >= 4.0.10.20 < 4.7.0 >= 4.7.0 Description =========== A vulnerability was discovered where the restrictions caused by "$cfg['Servers'][$i]['AllowNoPassword'] = false" are bypassed under certain PHP versions. This can lead compromised user accounts, who have no passwords set, even if the administrator has set "$cfg['Servers'][$i]['AllowNoPassword']" to false (which is the default). This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not). Impact ====== A remote attacker, who only needs to know the username, could bypass security restrictions and access phpMyAdmin. Workaround ========== Set a password for all users. Resolution ========== All phpMyAdmin 4.0.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=dev-db/phpmyadmin-4.0.10.20:4.0.10.20"= All other phpMyAdmin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-4.7.0:4.7.0" References ========== [ 1 ] PMASA-2017-8 https://www.phpmyadmin.net/security/PMASA-2017-8/ Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201707-03 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --u2eLdTGVjaemMQiXS2T0P3HR96vtQmXnW--