Many posts have pointed out that a malicious MySQL server can use the LOAD DATA LOCAL command to read arbitrary files from MYSQL clients. According to this post (chinese), We can read arbitrary file on phpMyAdmin server if $cfg[‘AllowArbitraryServer’] enabled.

http://www.vulnspy.com/en-phpmyadmin-load-data-local-file-read-local-file/phpmyadmin_(allowarbitraryserver)_arbitrary_file_read_vulnerability/