CVE-2017-18264
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument.
Se ha descubierto un problema en libraries/common.inc.php en phpMyAdmin en versiones 4.0 anteriores a la 4.0.10.20, 4.4.x, 4.6.x y 4.7.0 "prereleases". Las restricciones causadas por $cfg['Servers'][$i]['AllowNoPassword'] = false se omiten en determinadas versiones PHP (por ejemplo, la versión 5). Esto puede permitir que inicien sesión los usuarios que no tengan una contraseña establecida incluso si el administrador tiene establecido $cfg['Servers'][$i]['AllowNoPassword'] en "false" (que es también el valor por defecto). Esto ocurre porque determinadas implementaciones de la función de PHP substr devuelven el valor "falso" cuando se proporciona el carácter " como primer argumento.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-05-01 CVE Reserved
- 2018-05-01 CVE Published
- 2024-02-14 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/97211 | Third Party Advisory | |
| https://lists.debian.org/debian-lts-announce/2018/07/msg00006.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.phpmyadmin.net/security/PMASA-2017-8 | 2019-10-03 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Phpmyadmin Search vendor "Phpmyadmin" | Phpmyadmin Search vendor "Phpmyadmin" for product "Phpmyadmin" | >= 4.0.0 < 4.0.10.20 Search vendor "Phpmyadmin" for product "Phpmyadmin" and version " >= 4.0.0 < 4.0.10.20" | - |
Affected
| ||||||
| Phpmyadmin Search vendor "Phpmyadmin" | Phpmyadmin Search vendor "Phpmyadmin" for product "Phpmyadmin" | >= 4.4.0 <= 4.4.15.10 Search vendor "Phpmyadmin" for product "Phpmyadmin" and version " >= 4.4.0 <= 4.4.15.10" | - |
Affected
| ||||||
| Phpmyadmin Search vendor "Phpmyadmin" | Phpmyadmin Search vendor "Phpmyadmin" for product "Phpmyadmin" | >= 4.6.0 <= 4.6.6 Search vendor "Phpmyadmin" for product "Phpmyadmin" and version " >= 4.6.0 <= 4.6.6" | - |
Affected
| ||||||
| Phpmyadmin Search vendor "Phpmyadmin" | Phpmyadmin Search vendor "Phpmyadmin" for product "Phpmyadmin" | 4.7.0 Search vendor "Phpmyadmin" for product "Phpmyadmin" and version "4.7.0" | beta1 |
Affected
| ||||||
| Phpmyadmin Search vendor "Phpmyadmin" | Phpmyadmin Search vendor "Phpmyadmin" for product "Phpmyadmin" | 4.7.0 Search vendor "Phpmyadmin" for product "Phpmyadmin" and version "4.7.0" | rc1 |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||