Parent Directory
| 
Revision Log
| 
Revision Graph
* Sun Feb 28 2021 Jean-Philipe Pialasse <tests@pialasse.com> 5.1.0-1.sme - Upgrade to 5.1.0 [SME: 11043] use epel spec with some modifications from remi
| 1 | Backported patch for phpMyAdmin 4.4.x; a vulnerability was discovered where the restrictions |
| 2 | caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions. |
| 3 | This can allow the login of users who have no password set even if the administrator has set |
| 4 | $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). |
| 5 | |
| 6 | This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not). |
| 7 | |
| 8 | Further details: |
| 9 | - https://www.phpmyadmin.net/security/PMASA-2017-8/ |
| 10 | - https://github.com/phpmyadmin/phpmyadmin/commit/b6ca92cc75c8a16001425be7881e73430bcc35b8 |
| 11 | - https://github.com/phpmyadmin/phpmyadmin/commit/7232271a379396ca1d4b083af051262057003c41 |
| 12 | |
| 13 | --- phpMyAdmin-4.4.15.10/libraries/common.inc.php 2017-01-23 20:08:47.000000000 +0100 |
| 14 | +++ phpMyAdmin-4.4.15.10/libraries/common.inc.php.pmasa-2017-8 2017-06-26 01:52:03.000000000 +0200 |
| 15 | @@ -858,7 +858,7 @@ |
| 16 | . ' ' . $cfg['Server']['auth_type'] |
| 17 | ); |
| 18 | } |
| 19 | - if (isset($_REQUEST['pma_password'])) { |
| 20 | + if (isset($_REQUEST['pma_password']) && strlen($_REQUEST['pma_password']) > 256) { |
| 21 | $_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0, 256); |
| 22 | } |
| 23 | include_once './libraries/plugins/auth/' . $auth_class . '.class.php'; |
| admin@koozali.org | ViewVC Help |
| Powered by ViewVC 1.2.1 |  |