Input passed via the "$host" variable within the setup is not properly sanitised before being used. This can be exploited to insert HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.
NOTE: Successful exploitation requires that installation best-practices have not been followed and the config directory is left writable.
The vulnerability is reported in versions 3.4.x prior to 3.4.9.
Upgrade to version 3.4.9 or later.
There's also http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php:
Using crafted url parameters, it was possible to produce XSS on the export panels in the server, database and table sections.
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Stable for HPPA.
Cross-site scripting (XSS) vulnerability in
libraries/config/ConfigFile.class.php in the setup interface in phpMyAdmin
3.4.x before 3.4.9 allows remote attackers to inject arbitrary web script or
HTML via the host parameter.
Thanks, folks. Closing noglsa for XSS.
Multiple cross-site scripting (XSS) vulnerabilities in
libraries/display_export.lib.php in phpMyAdmin 3.4.x before 3.4.9 allow
remote attackers to inject arbitrary web script or HTML via crafted URL
parameters, related to the export panels in the (1) server, (2) database,
and (3) table sections.
This issue was resolved and addressed in
GLSA 201201-01 at http://security.gentoo.org/glsa/glsa-201201-01.xml
by GLSA coordinator Tim Sammut (underling).