CVE-2006-6943

Name of the Vulnerable Software and Affected Versions: PhpMyAdmin versions prior to 2.9.1.1

Description: The issue allows remote attackers to obtain the full server path. This can be achieved through direct requests to certain scripts, such as scripts/check lang.php and themes/darkblue orange/layout.inc.php. Additionally, the issue can be exploited via specific array arguments to index.php, including lang[], target[], db[], goto[], table[], and tbl group[]. Other vulnerable parameters include the back[] argument to sql.php, an invalid sort by parameter to server databases.php, and the db parameter to db printview.php.

Recommendations: For versions prior to 2.9.1.1, update to version 2.9.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable scripts and parameters, such as scripts/check lang.php, themes/darkblue orange/layout.inc.php, and the specified array arguments to index.php, until a patch is applied. Avoid using the vulnerable parameters, including lang[], target[], db[], goto[], table[], tbl group[], back[], sort by, and db, in the affected API endpoints until the issue is resolved.