Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 07 Feb 2017 13:52:23 +0100
From: Christian Boltz <oss-security@...ltz.de>
To: oss-security@...ts.openwall.com
Subject: CVE request: PostfixAdmin allows to delete protected aliases

Hello,

[I'm not subscribed, so please CC me in your replies.]

I'd like to request a CVE ID for Postfixadmin.

Thanks to a missing permission check, domain admins can delete aliases 
they are not allowed to delete (for example abuse@, which the server 
admin might have setup so that he gets all abuse mails).

This can only be exploited by authentificated domain admins.

See https://github.com/postfixadmin/postfixadmin/pull/23 for a detailed 
description.

Affected versions:
- PostfixAdmin 3.0 and 3.0.1
- PostfixAdmin 2.91, 2.92 and 2.93 (which actually are 3.0 beta releases)

Older PostfixAdmin releases (2.3.x and older) are not affected.

PostfixAdmin 3.0.2 will fix this issue - I'll release it in the next days.


Regards,

Christian Boltz
-- 
Immerwieder der gleiche Anfaengerfehler:
/dev/null ist fuer Backup,
/dev/zero ist fuer Restore.
[J. P. Meier]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ