phpMyAdmin 3.4.5 suffers of insufficient input validation of the parameter js_frame in phpmyadmin.css.php, exposing information that could be used in further attacks.

CVE Entry: CVE-2011-3646
CWE:  CWE-20, CWE-200
PMASA ENTRY: PMASA-2011-15

Description

The script returns an error message, containing the full path if the js_frame parameter is defined as an array.

Exploit

No authentication needed to exploit this vulnerability.

http://example.com/path_to_phpmyadmin/phpmyadmin.css.php?js_frame[]=right

Official fix

http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=d35cba980893aa6e6455fd6e6f14f3e3f1204c52

Credits

Discovered by Mihail Ursu (securitate.md) on 12 Sep 2011.

Disclosure Timeline

Reported to vendor on 12 Sep 2011.
Confirmation from vendor 21 Sep 2011.
Patch confirmation 4 Oct 2011.
Official fix and public disclosure 17 Oct 2011.