setup/lib/ConfigGenerator.class.php
in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.
ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html
lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.html
phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=0fbedaf5fd7a771d0885c6b7385d934fc90d0d7f
securityreason.com/securityalert/8306
typo3.org/teams/security/security-bulletins/typo3-sa-2011-008
www.debian.org/security/2011/dsa-2286
www.exploit-db.com/exploits/17514
www.openwall.com/lists/oss-security/2011/06/28/2
www.openwall.com/lists/oss-security/2011/06/28/6
www.openwall.com/lists/oss-security/2011/06/28/8
www.openwall.com/lists/oss-security/2011/06/29/11
www.phpmyadmin.net/home_page/security/PMASA-2011-6.php
github.com/phpmyadmin/composer
github.com/phpmyadmin/phpmyadmin/commit/0fbedaf5fd7a771d0885c6b7385d934fc90d0d7f
github.com/phpmyadmin/phpmyadmin/commit/2e01647949df937040e73a94ce0bac0daecbdcf4
nvd.nist.gov/vuln/detail/CVE-2011-2506
web.archive.org/web/20110712103138/www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt
web.archive.org/web/20111116172111/www.securityfocus.com/archive/1/518804/100/0/threaded
web.archive.org/web/20121105034518/www.mandriva.com/en/support/security/advisories?name=MDVSA-2011:124