Hi!
Having looked into the bug report a bit more, I noticed that my code definitely had a bug since the 2.5.0 release. There's a line reading "if ($content != '')" which should read "if ($content != 'none')" to effectively disable the printout of all files in the directory.
But the basic thing the SecurityFocus report falsely states is that you can print out any directory structure. But since 2.5.0 you cannot escape out of the base phpMyAdmin installation, so this is not true. I wonder whether we have to disable the output of files in the phpMyAdmin directory. Because when a user can access the db_details_importsql.php file, he has to have a valid user account and thereby should have FTP access anyways and can see all of the files. The files stored in the SQL file upload area are accessibly from the SQL query box, so no secret in that area as well. That's why I haven't committed the above mentioned replacement of the line. Do we want to hide any file the importer is ignoring?
Regarding the directory disclore issue: The author means that PHP will print out the 'missing variable in file /ddd/xxx/eee/bla.php' and thereby showing the path. I guess we can only hide that part by pointing out to not letting PHP print out errors on a webpage in production environments. On our side, we can only reduce the PHP error output, I guess?
Concerning the cookie storage, I'm not very experienced in this area. But patch item http://sourceforge.net/tracker/index.php?func=detail&aid=705727&grou... and http://sourceforge.net/tracker/index.php?func=detail&aid=564793&grou... (all covered by robbat) may give some hints on that?
For those XSS issues...well, I never got the clue out of how that can be dangerous. Maybe someone can enlighten me on that? I guess we can escape all HTML-elements from GET/POST variables by htmlentitieing them, don't we?
Regards, Garvin.