Parent Directory
| 
Revision Log
| 
Revision Graph
from epel
| 1 | jpp | 1.1 | Backported patch for phpMyAdmin 4.4.x; a vulnerability was discovered where the restrictions |
| 2 | caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions. | ||
| 3 | This can allow the login of users who have no password set even if the administrator has set | ||
| 4 | $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). | ||
| 5 | |||
| 6 | This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not). | ||
| 7 | |||
| 8 | Further details: | ||
| 9 | - https://www.phpmyadmin.net/security/PMASA-2017-8/ | ||
| 10 | - https://github.com/phpmyadmin/phpmyadmin/commit/b6ca92cc75c8a16001425be7881e73430bcc35b8 | ||
| 11 | - https://github.com/phpmyadmin/phpmyadmin/commit/7232271a379396ca1d4b083af051262057003c41 | ||
| 12 | |||
| 13 | --- phpMyAdmin-4.4.15.10/libraries/common.inc.php 2017-01-23 20:08:47.000000000 +0100 | ||
| 14 | +++ phpMyAdmin-4.4.15.10/libraries/common.inc.php.pmasa-2017-8 2017-06-26 01:52:03.000000000 +0200 | ||
| 15 | @@ -858,7 +858,7 @@ | ||
| 16 | . ' ' . $cfg['Server']['auth_type'] | ||
| 17 | ); | ||
| 18 | } | ||
| 19 | - if (isset($_REQUEST['pma_password'])) { | ||
| 20 | + if (isset($_REQUEST['pma_password']) && strlen($_REQUEST['pma_password']) > 256) { | ||
| 21 | $_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0, 256); | ||
| 22 | } | ||
| 23 | include_once './libraries/plugins/auth/' . $auth_class . '.class.php'; |
| admin@koozali.org | ViewVC Help |
| Powered by ViewVC 1.2.1 |  |