Parent Directory | Revision Log | Revision Graph
from epel
1 | jpp | 1.1 | Backported patch for phpMyAdmin 4.4.x; a vulnerability was discovered where the restrictions |
2 | caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions. | ||
3 | This can allow the login of users who have no password set even if the administrator has set | ||
4 | $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). | ||
5 | |||
6 | This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not). | ||
7 | |||
8 | Further details: | ||
9 | - https://www.phpmyadmin.net/security/PMASA-2017-8/ | ||
10 | - https://github.com/phpmyadmin/phpmyadmin/commit/b6ca92cc75c8a16001425be7881e73430bcc35b8 | ||
11 | - https://github.com/phpmyadmin/phpmyadmin/commit/7232271a379396ca1d4b083af051262057003c41 | ||
12 | |||
13 | --- phpMyAdmin-4.4.15.10/libraries/common.inc.php 2017-01-23 20:08:47.000000000 +0100 | ||
14 | +++ phpMyAdmin-4.4.15.10/libraries/common.inc.php.pmasa-2017-8 2017-06-26 01:52:03.000000000 +0200 | ||
15 | @@ -858,7 +858,7 @@ | ||
16 | . ' ' . $cfg['Server']['auth_type'] | ||
17 | ); | ||
18 | } | ||
19 | - if (isset($_REQUEST['pma_password'])) { | ||
20 | + if (isset($_REQUEST['pma_password']) && strlen($_REQUEST['pma_password']) > 256) { | ||
21 | $_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0, 256); | ||
22 | } | ||
23 | include_once './libraries/plugins/auth/' . $auth_class . '.class.php'; |
admin@koozali.org | ViewVC Help |
Powered by ViewVC 1.2.1 |