{"id":"CVE-2017-18264","details":"An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument.","aliases":["GHSA-5868-g58j-vrj5"],"modified":"2026-03-15T22:16:07.025682Z","published":"2018-05-01T17:29:00.237Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/97211"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00006.html"},{"type":"FIX","url":"https://www.phpmyadmin.net/security/PMASA-2017-8/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/phpmyadmin/phpmyadmin","events":[{"introduced":"6da64cc3b2ba4439574f914f51e161645375be96"},{"fixed":"9a9a6ab709eb6b1b2e82b7a15851ae93a31e9e45"},{"introduced":"1fe735d098d82ad79500eab04c4d25ba8fe25a24"},{"last_affected":"fbd634d4c1d668e77ad15cdb38c4a85db5c75002"},{"introduced":"37b38431d167915675fc8ab512470528147e72de"},{"last_affected":"c812bcd4112c3d44e6e6bc72e710b9935c6aa9d3"},{"introduced":"0"},{"last_affected":"62c6e73cc5601ecd6cf839874c038a991c7b5b97"},{"introduced":"0"},{"last_affected":"507f335777aa82c16f6fcf691a4e7b3e4b7e98ce"}],"database_specific":{"versions":[{"introduced":"4.0.0"},{"fixed":"4.0.10.20"},{"introduced":"4.4.0"},{"last_affected":"4.4.15.10"},{"introduced":"4.6.0"},{"last_affected":"4.6.6"},{"introduced":"0"},{"last_affected":"4.7.0-beta1"},{"introduced":"0"},{"last_affected":"4.7.0-rc1"}]}}],"versions":["RELEASE_4_0_0","RELEASE_4_0_1RC1","RELEASE_4_0_2","RELEASE_4_0_2RC1","RELEASE_4_0_3","RELEASE_4_0_3RC1","RELEASE_4_0_4","RELEASE_4_0_4RC1","RELEASE_4_0_4_1","RELEASE_4_0_4_2","RELEASE_4_0_5RC1","RELEASE_4_0_6","RELEASE_4_0_6RC1","RELEASE_4_0_6RC2","RELEASE_4_1_0ALPHA1","RELEASE_4_1_0ALPHA2","RELEASE_4_1_0BETA1","RELEASE_4_1_0BETA2","RELEASE_4_1_0RC1","RELEASE_4_1_0RC2","RELEASE_4_1_0RC3","RELEASE_4_2_0","RELEASE_4_2_0ALPHA1","RELEASE_4_2_0ALPHA2","RELEASE_4_2_0BETA1","RELEASE_4_2_0RC1","RELEASE_4_2_10","RELEASE_4_2_10_1","RELEASE_4_2_11","RELEASE_4_2_12","RELEASE_4_2_13","RELEASE_4_2_13_1","RELEASE_4_2_7","RELEASE_4_2_7_1","RELEASE_4_2_8","RELEASE_4_2_8_1","RELEASE_4_2_9","RELEASE_4_2_9_1","RELEASE_4_3_0","RELEASE_4_3_0ALPHA1","RELEASE_4_3_0BETA1","RELEASE_4_3_0RC1","RELEASE_4_3_0RC2","RELEASE_4_3_1","RELEASE_4_3_10","RELEASE_4_3_11","RELEASE_4_3_11_1","RELEASE_4_3_12","RELEASE_4_3_13","RELEASE_4_3_2","RELEASE_4_3_3","RELEASE_4_3_4","RELEASE_4_3_5","RELEASE_4_3_6","RELEASE_4_3_7","RELEASE_4_3_8","RELEASE_4_3_9","RELEASE_4_4_0","RELEASE_4_4_0ALPHA1","RELEASE_4_4_1","RELEASE_4_4_10","RELEASE_4_4_11","RELEASE_4_4_12","RELEASE_4_4_13","RELEASE_4_4_13_1","RELEASE_4_4_14","RELEASE_4_4_14_1","RELEASE_4_4_15","RELEASE_4_4_15_1","RELEASE_4_4_15_2","RELEASE_4_4_1_1","RELEASE_4_4_2","RELEASE_4_4_3","RELEASE_4_4_4","RELEASE_4_4_5","RELEASE_4_4_6","RELEASE_4_4_6_1","RELEASE_4_4_7","RELEASE_4_4_8","RELEASE_4_4_9","RELEASE_4_5_0","RELEASE_4_5_0RC1","RELEASE_4_5_0_1","RELEASE_4_5_0_2","RELEASE_4_5_1","RELEASE_4_5_2","RELEASE_4_5_3","RELEASE_4_5_3_1","RELEASE_4_5_4","RELEASE_4_5_4_1","RELEASE_4_5_5","RELEASE_4_5_5_1","RELEASE_4_6_0","RELEASE_4_6_0ALPHA1","RELEASE_4_6_0RC1","RELEASE_4_6_0RC2","RELEASE_4_6_1","RELEASE_4_6_2","RELEASE_4_6_3","RELEASE_4_6_4","RELEASE_4_6_5","RELEASE_4_6_5_1","RELEASE_4_6_5_2","RELEASE_4_6_6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-18264.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}