Summary
Bypass $cfg['Servers'][$i]['AllowNoPassword']
Description
A vulnerability was discovered where the restrictions
caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are
bypassed under certain PHP versions. This can allow the
login of users who have no password set even if the
administrator has set $cfg['Servers'][$i]['AllowNoPassword']
to false (which is also the default).
This behavior depends on the PHP version used (it seems
PHP 5 is affected, while PHP 7.0 is not).
Severity
We consider this vulnerability to be of moderate severity.
Mitigation factor
Set a password for all users.