libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a "remote variable manipulation vulnerability."
http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt
http://www.securityfocus.com/archive/1/518804/100/0/threaded
http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.php
http://www.openwall.com/lists/oss-security/2011/06/29/11
http://www.openwall.com/lists/oss-security/2011/06/28/8
http://www.openwall.com/lists/oss-security/2011/06/28/6
http://www.openwall.com/lists/oss-security/2011/06/28/2
http://www.mandriva.com/security/advisories?name=MDVSA-2011:124
http://www.debian.org/security/2011/dsa-2286
http://typo3.org/teams/security/security-bulletins/typo3-sa-2011-008/
http://securityreason.com/securityalert/8306
http://secunia.com/advisories/45315
http://secunia.com/advisories/45292
http://secunia.com/advisories/45139
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.html