Date: Tue, 07 Feb 2017 13:52:23 +0100 From: Christian Boltz <oss-security@...ltz.de> To: oss-security@...ts.openwall.com Subject: CVE request: PostfixAdmin allows to delete protected aliases Hello, [I'm not subscribed, so please CC me in your replies.] I'd like to request a CVE ID for Postfixadmin. Thanks to a missing permission check, domain admins can delete aliases they are not allowed to delete (for example abuse@, which the server admin might have setup so that he gets all abuse mails). This can only be exploited by authentificated domain admins. See https://github.com/postfixadmin/postfixadmin/pull/23 for a detailed description. Affected versions: - PostfixAdmin 3.0 and 3.0.1 - PostfixAdmin 2.91, 2.92 and 2.93 (which actually are 3.0 beta releases) Older PostfixAdmin releases (2.3.x and older) are not affected. PostfixAdmin 3.0.2 will fix this issue - I'll release it in the next days. Regards, Christian Boltz -- Immerwieder der gleiche Anfaengerfehler: /dev/null ist fuer Backup, /dev/zero ist fuer Restore. [J. P. Meier]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ