This was originally disclosed via a vendor advisory that did not make it clear that two distinct vulnerabilities were present. CVE described it as one flaw calling it a "static code injection vulnerability in the getConfigFile function in setup/lib/ConfigFile.class.php ... allows remote attackers to inject arbitrary PHP code into configuration files." Both issues require that the web server have a writable config directory.
phpMyAdmin has a feature that allows a user to generate a configuration file for phpMyAdmin from the web interface, without authentication. The configuration file is essentially a PHP file, rather than a flat ascii config file. Some protections were built into this feature so that only configuration settings could be added, rather than arbitrary PHP code or other dangerous input.
Vulnerability #1:
Providing arbitrary PHP code to the 'textconfig' parameter of /setup/config.php results in the creation of a configuration file that contains arbitrary PHP code. The code can then be executed by loading the newly created configuration file. This flaw is due to errors in setup/config.php and setup/frames/config.inc.php and was fixed via commit c98e5e3a5a7567fa7925bd20606d1ca73228fc03.
Vulnerability #2:
The configuration file generator allows specifying a server name, which will be added to the beginning of the configuration file in a C-style comment:
/* This is my server's name */
By providing a specifically crafted server name, it can result in the injection of arbitrary PHP code. For example, providing a name of */ system('id'); /* results in the following code being generated:
/**/ system('id'); /**/
This code can be executed by loading the newly created configuration file. This flaw is due to an error in setup/lib/ConfigFile.class.php that was fixed via commit 1325e238738e09fd3797a4a70afdc18b3ab5be21.