Red Hat Bugzilla – Bug 808439
CVE-2012-1600 phpPgAdmin: XSS by displaying default list of functions in the database
Last modified: 2016-03-04 07:01:39 EST
An cross-site scripting (XSS) flaw was found in the way phpPgAdmin, a web-based PostgreSQL database administration tool, performed presentation of the default list of functions, being present in the database, to the user upon request. A remote attacker could provide a specially-crafted web page, which once visited by an unsuspecting, valid phpPgAdmin user could lead to arbitrary HTML or web script execution in the context of logged in phpPgAdmin user.
This issue previously affected the versions of the phpPgAdmin package, as shipped with Fedora release of 15, 16, and as shipped with Fedora EPEL 5 and Fedora EPEL 6 versions.
Though the following phpPgAdmin have been scheduled already:
1) phpPgAdmin-5.0.4-1.fc15 for Fedora 15,
2) phpPgAdmin-5.0.4-1.fc16 for Fedora 16,
3) phpPgAdmin-5.0.4-1.el5 for Fedora EPEL 5,
4) phpPgAdmin-5.0.4-1.el6 for Fedora EPEL 6
to correct this deficiency. Once the above packages have passed the required level of testing, they will be pushed to the -stable repository for each of the particular releases above.