phpMyAdmin Improper Input Validation Vulnerability - CVE-2006-6943

PhpMyAdmin before 2.9.1.1 allows remote attackers to obtain the full server path via direct requests to (a) scripts/check_lang.php and (b) themes/darkblue_orange/layout.inc.php and via the (1) lang (2) target (3) db (4) goto (5) table and (6) tbl_group array arguments to (c) index.php and the (7) back argument to (d) sql.php and an invalid (8) sort_by parameter to (e) server_databases.php and (9) db parameter to (f) db_printview.php.