Description
The configuration setup script (aka scripts/setup.php) in phpMyAdmin 2.11.x before 2.11.10.1 does not properly restrict key names in its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request.
Remediation
References
Related Vulnerabilities
Drupal Improper Input Validation Vulnerability (CVE-2014-5019)
WordPress Plugin WP Business Intelligence Lite Arbitrary File Upload (1.0.6)
phpMyAdmin Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2009-1285)
OpenSSL Resource Management Errors Vulnerability (CVE-2006-2937)