Synopsis :

The remote web server contains a PHP application that may allow
execution of arbitrary code.

Description :

The setup script included with the version of phpMyAdmin installed on
the remote host does not properly sanitize user-supplied input before
using it to generate a config file for the application. Submitting a
specially crafted POST request can result in arbitrary PHP code
injection.

A remote attacker could exploit this issue in a cross-site request
forgery attack, which could be used to execute arbitrary commands
on the system with the privileges of the web server.

See also :

http://www.phpmyadmin.net/home_page/security/PMASA-2010-3.php

Solution :

Upgrade to phpMyAdmin 2.11.10 / 3.0.0 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.2
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true