mailing list archives
Re: CVE request: PostfixAdmin SQL injections and XSS
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 26 Jan 2012 10:15:27 -0700
On 01/26/2012 04:07 AM, Christian Boltz wrote:
we (the upstream PostfixAdmin developers) received a report about SQL
injections and XSS in PostfixAdmin.
Please assign a CVE number to those issues.
The issues are fixed in PostfixAdmin 2.3.5, which I'll release today or
For reference, here's the changelog with all details:
- fix SQL injection in pacrypt() (if $CONF[encrypt] == 'mysql_encrypt')
- fix SQL injection in backup.php - the dump was not mysql_escape()d,
therefore users could inject SQL (for example in the vacation message)
which will be executed when restoring the database dump.
WARNING: database dumps created with backup.php from 2.3.4 or older might
contain malicious SQL. Double-check before using them!
- fix XSS with $_GET[domain] in templates/menu.php and edit-vacation
- fix XSS in some create-domain input fields
- fix XSS in create-alias and edit-alias error message
- fix XSS (by values stored in the database) in fetchmail list view,
list-domain and list-virtual
- create-domain: fix SQL injection (only exploitable by superadmins)
- add missing $LANG['pAdminDelete_admin_error']
- don't mark mailbox targets with recipient delimiter as "forward only"
- wrap hex2bin with function_exists() - PHP 5.3.8 has it as native function
So basically we have two sets of vulnerabilities: multiple SQL
injections and multiple XSS vulnerabilities, correct?
Kurt Seifried Red Hat Security Response Team (SRT)