{"id":"CVE-2017-18264","details":"An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument.","aliases":["GHSA-5868-g58j-vrj5"],"modified":"2026-02-19T07:15:04.737849Z","published":"2018-05-01T17:29:00.237Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/97211"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00006.html"},{"type":"ADVISORY","url":"https://www.phpmyadmin.net/security/PMASA-2017-8/"},{"type":"FIX","url":"https://www.phpmyadmin.net/security/PMASA-2017-8/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/phpmyadmin/phpmyadmin","events":[{"introduced":"6da64cc3b2ba4439574f914f51e161645375be96"},{"fixed":"9a9a6ab709eb6b1b2e82b7a15851ae93a31e9e45"}]}],"versions":["RELEASE_4_0_0","RELEASE_4_0_10","RELEASE_4_0_10_1","RELEASE_4_0_10_10","RELEASE_4_0_10_11","RELEASE_4_0_10_12","RELEASE_4_0_10_13","RELEASE_4_0_10_15","RELEASE_4_0_10_16","RELEASE_4_0_10_17","RELEASE_4_0_10_18","RELEASE_4_0_10_19","RELEASE_4_0_10_2","RELEASE_4_0_10_3","RELEASE_4_0_10_4","RELEASE_4_0_10_5","RELEASE_4_0_10_6","RELEASE_4_0_10_7","RELEASE_4_0_10_8","RELEASE_4_0_10_9","RELEASE_4_0_1RC1","RELEASE_4_0_2","RELEASE_4_0_2RC1","RELEASE_4_0_3","RELEASE_4_0_3RC1","RELEASE_4_0_4","RELEASE_4_0_4RC1","RELEASE_4_0_4_1","RELEASE_4_0_4_2","RELEASE_4_0_5RC1","RELEASE_4_0_6","RELEASE_4_0_6RC1","RELEASE_4_0_6RC2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-18264.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}