CVE-2017-18264

Name of the Vulnerable Software and Affected Versions: phpMyAdmin versions 4.0 through 4.0.10.19 phpMyAdmin version 4.4.x phpMyAdmin version 4.6.x phpMyAdmin version 4.7.0 prereleases

Description: An issue allows the bypassing of restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false under certain PHP versions, such as version 5. This can allow users with no password set to log in, even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false. The issue occurs due to some implementations of the PHP substr function returning false when given an empty string as the first argument.

Recommendations: For phpMyAdmin versions 4.0 through 4.0.10.19, update to version 4.0.10.20 or later. For phpMyAdmin version 4.4.x, update to a version outside of the 4.4.x range. For phpMyAdmin version 4.6.x, update to a version outside of the 4.6.x range. For phpMyAdmin version 4.7.0 prereleases, update to a release version of 4.7.0 or later.