phpMyAdmin could allow a remote attacker to obtain sensitive information. An attacker could send a specially-crafted URL request to the darkblue_orange/layout.inc.php script to cause an error message to be returned containing the full installation path. An attacker could use this information to launch further attacks against the affected system.
web-apps please advise.
another issue is already being handled: bug 161460. Do we know what version fixes this path disclosure?
since the mentioned file has not been modified in svn <http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/trunk/phpMyAdmin/themes/darkblue_orange/> for months, I guess the latest version is still affected
Doesn't look like 2.9.2 fixed this. http://www.redhat.com/archives/fedora-security-list/2007-January/msg00031.html
anybody knows if 2.10.0.2 fixes this?
According to: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221694 this is not fixed in 2.10.0.2.
upstream released 2.10.1, seems that it fixes it.
2.10.1 is in the tree
Thx Renat. Handling stable marking on bug #175847.
Closing with bug 175847. Feel free to reopen if you disagree.