Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Jan 2012 12:07:12 +0100
From: Christian Boltz <oss-securrity@...ltz.de>
To: oss-security@...ts.openwall.com
Subject: CVE request: PostfixAdmin SQL injections and XSS

Hello,

we (the upstream PostfixAdmin developers) received a report about SQL
injections and XSS in PostfixAdmin. 

Please assign a CVE number to those issues.

The issues are fixed in PostfixAdmin 2.3.5, which I'll release today or 
tomorrow.


For reference, here's the changelog with all details:

  - fix SQL injection in pacrypt() (if $CONF[encrypt] == 'mysql_encrypt')
  - fix SQL injection in backup.php - the dump was not mysql_escape()d, 
    therefore users could inject SQL (for example in the vacation message)
    which will be executed when restoring the database dump.
    WARNING: database dumps created with backup.php from 2.3.4 or older might
             contain malicious SQL. Double-check before using them!
  - fix XSS with $_GET[domain] in templates/menu.php and edit-vacation
  - fix XSS in some create-domain input fields
  - fix XSS in create-alias and edit-alias error message
  - fix XSS (by values stored in the database) in fetchmail list view,
    list-domain and list-virtual
  - create-domain: fix SQL injection (only exploitable by superadmins)
  - add missing $LANG['pAdminDelete_admin_error']
  - don't mark mailbox targets with recipient delimiter as "forward only"
  - wrap hex2bin with function_exists() - PHP 5.3.8 has it as native function

If you are interested in the exact code changes, run
    svn diff -r 1180:1335 https://postfixadmin.svn.sourceforge.net/svnroot/postfixadmin/branches/postfixadmin-2.3


Severity: that's a good question, please judge yourself ;-)

The most critical part is probably the SQL injection in pacrypt() because it is
used in the login form, which means it's available to non-authentificated
users. On the positive side, I'd guess the mysql_encrypt encryption method is
used rarely.

The affected code in pacrypt() is ($pw was not escaped, $salt comes from the
database (the first 2 characters of the current hashed password)):
            $res=db_query("SELECT ENCRYPT('".$pw."','".$salt."');");
or when hashing a new password
            $res=db_query("SELECT ENCRYPT('".$pw."');");

db_query() is a wrapper that uses (depending on the configured database)
mysql_query, mysqli_query or pg_query.

The other issues are limited to authentificated users.


Gruß

Christian Boltz
-- 
>So, Helm aufsetz und auf Steine wart ...
*werf*
*Steine! Flache Steine! Runde Steine! Grosse Steine! Kleine Steine!*
*Wer will noch mal, wer hat noch nicht?*
[> Manfred Tremmel und David Haller in suse-linux]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.