phpmyadmin Brute force

1. Hello list!
2.  
3. I want to warn you about Brute Force and Full path disclosure
4. vulnerabilities in phpMyAdmin.
5.  
6. CVE id: CVE-2011-0986.
7.  
8. WASC ids: WASC-11, WASC-13.
9.  
10. CWE ids: CWE-661, CWE-200.
11.  
12. -------------------------
13. Affected products:
14. -------------------------
15.  
16. Vulnerable are phpMyAdmin 3.3.9 and previous versions and phpMyAdmin
17. 2.11.11.1 and previous versions. All applications (such as XAMPP), which are
18. using phpMyAdmin, are also vulnerable.
19.  
20. Full path disclosure vulnerabilities were fixed by developers in versions
21. 3.3.9.1 and 2.11.11.2.
22.  
23. ----------
24. Details:
25. ----------
26.  
27. Brute Force (WASC-11):
28.  
29. http://site/phpmyadmin/
30.  
31. In login form there is no protection from Brute Force attacks.
32.  
33. Full path disclosure (WASC-13):
34.  
35. http://site/phpmyadmin/readme.php (if there is no README file in folder
36. phpmyadmin)
37.  
38. http://site/phpmyadmin/changelog.php (if there is no ChangeLog file in
39. folder phpmyadmin)
40.  
41. http://site/phpmyadmin/license.php (if there is no LICENSE file in folder
42. phpmyadmin)
43.  
44. ------------
45. Timeline:
46. ------------
47.  
48. 2011.01.25 - announced at my site.
49. 2011.01.26 - informed developers.
50. 2011.01.31 - received answer from developers.
51. 2011-02-01 - I gave developers additional argumentations and recommendations
52. about fixing Brute Force and Full path disclosure holes and privately
53. informed about all those Fingerprinting (WASC-45) holes in phpMyAdmin.
54. 2011-02-08 - developers fixed FPD holes
55. (http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php).
56. 2011.02.28 - disclosed at my site.
57.  
58. I mentioned about these vulnerabilities at my site
59. (http://websecurity.com.ua/4872/).
60.  
61. Best wishes & regards,
62. MustLive
63. Administrator of Websecurity web site
64. http://websecurity.com.ua