Date: Thu, 26 Jan 2012 12:07:12 +0100 From: Christian Boltz <oss-securrity@...ltz.de> To: oss-security@...ts.openwall.com Subject: CVE request: PostfixAdmin SQL injections and XSS Hello, we (the upstream PostfixAdmin developers) received a report about SQL injections and XSS in PostfixAdmin. Please assign a CVE number to those issues. The issues are fixed in PostfixAdmin 2.3.5, which I'll release today or tomorrow. For reference, here's the changelog with all details: - fix SQL injection in pacrypt() (if $CONF[encrypt] == 'mysql_encrypt') - fix SQL injection in backup.php - the dump was not mysql_escape()d, therefore users could inject SQL (for example in the vacation message) which will be executed when restoring the database dump. WARNING: database dumps created with backup.php from 2.3.4 or older might contain malicious SQL. Double-check before using them! - fix XSS with $_GET[domain] in templates/menu.php and edit-vacation - fix XSS in some create-domain input fields - fix XSS in create-alias and edit-alias error message - fix XSS (by values stored in the database) in fetchmail list view, list-domain and list-virtual - create-domain: fix SQL injection (only exploitable by superadmins) - add missing $LANG['pAdminDelete_admin_error'] - don't mark mailbox targets with recipient delimiter as "forward only" - wrap hex2bin with function_exists() - PHP 5.3.8 has it as native function If you are interested in the exact code changes, run svn diff -r 1180:1335 https://postfixadmin.svn.sourceforge.net/svnroot/postfixadmin/branches/postfixadmin-2.3 Severity: that's a good question, please judge yourself ;-) The most critical part is probably the SQL injection in pacrypt() because it is used in the login form, which means it's available to non-authentificated users. On the positive side, I'd guess the mysql_encrypt encryption method is used rarely. The affected code in pacrypt() is ($pw was not escaped, $salt comes from the database (the first 2 characters of the current hashed password)): $res=db_query("SELECT ENCRYPT('".$pw."','".$salt."');"); or when hashing a new password $res=db_query("SELECT ENCRYPT('".$pw."');"); db_query() is a wrapper that uses (depending on the configured database) mysql_query, mysqli_query or pg_query. The other issues are limited to authentificated users. Gruß Christian Boltz -- >So, Helm aufsetz und auf Steine wart ... *werf* *Steine! Flache Steine! Runde Steine! Grosse Steine! Kleine Steine!* *Wer will noch mal, wer hat noch nicht?* [> Manfred Tremmel und David Haller in suse-linux]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ