/[smecontribs]/rpms/phpMyAdmin/contribs10/phpMyAdmin-4.4.15.10-pmasa-2017-8.patch
ViewVC logotype

Annotation of /rpms/phpMyAdmin/contribs10/phpMyAdmin-4.4.15.10-pmasa-2017-8.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Sun Feb 28 06:34:56 2021 UTC (3 years, 8 months ago) by jpp
Branch: MAIN
CVS Tags: phpMyAdmin-4_4_15_10-4_el7
from epel

1 jpp 1.1 Backported patch for phpMyAdmin 4.4.x; a vulnerability was discovered where the restrictions
2     caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions.
3     This can allow the login of users who have no password set even if the administrator has set
4     $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default).
5    
6     This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not).
7    
8     Further details:
9     - https://www.phpmyadmin.net/security/PMASA-2017-8/
10     - https://github.com/phpmyadmin/phpmyadmin/commit/b6ca92cc75c8a16001425be7881e73430bcc35b8
11     - https://github.com/phpmyadmin/phpmyadmin/commit/7232271a379396ca1d4b083af051262057003c41
12    
13     --- phpMyAdmin-4.4.15.10/libraries/common.inc.php 2017-01-23 20:08:47.000000000 +0100
14     +++ phpMyAdmin-4.4.15.10/libraries/common.inc.php.pmasa-2017-8 2017-06-26 01:52:03.000000000 +0200
15     @@ -858,7 +858,7 @@
16     . ' ' . $cfg['Server']['auth_type']
17     );
18     }
19     - if (isset($_REQUEST['pma_password'])) {
20     + if (isset($_REQUEST['pma_password']) && strlen($_REQUEST['pma_password']) > 256) {
21     $_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0, 256);
22     }
23     include_once './libraries/plugins/auth/' . $auth_class . '.class.php';

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed