Isaac Bennetch

Name of the Vulnerable Software and Affected Versions: phpMyAdmin versions 4.0 through 4.0.10.19 phpMyAdmin version 4.4.x phpMyAdmin version 4.6.x phpMyAdmin version 4.7.0 prereleases Description: An issue allows the bypassing of restrictions caused by `$cfg['Servers'][$i]['AllowNoPassword']` = false under certain PHP versions, such as version 5. This can allow users with no password set to log in, even if the administrator has set `$cfg['Servers'][$i]['AllowNoPassword']` to false. The issue occurs due to some implementations of the PHP `substr` function returning false when given an empty string as the first argument. Recommendations: For phpMyAdmin versions 4.0 through 4.0.10.19, update to version 4.0.10.20 or later. For phpMyAdmin version 4.4.x, update to a version outside of the 4.4.x range. For phpMyAdmin version 4.6.x, update to a version outside of the 4.6.x range. For phpMyAdmin version 4.7.0 prereleases, update to a release version of 4.7.0 or later.