Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 26 Jan 2012 18:55:11 +0100
From: Christian Boltz <oss-securrity@...ltz.de>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request: PostfixAdmin SQL injections and XSS

Hello,

Am Donnerstag, 26. Januar 2012 schrieb Kurt Seifried:
> On 01/26/2012 04:07 AM, Christian Boltz wrote:
> > we (the upstream PostfixAdmin developers) received a report about
> > SQL injections and XSS in PostfixAdmin.
> > 
> > Please assign a CVE number to those issues.
> > 
> > The issues are fixed in PostfixAdmin 2.3.5, which I'll release
> > today or tomorrow.
> > 
> > For reference, here's the changelog with all details:
> >   - fix SQL injection in pacrypt() (if $CONF[encrypt] ==
> >   'mysql_encrypt') 
> >   - fix SQL injection in backup.php - the dump
> >   was not mysql_escape()d,>   
> >     therefore users could inject SQL (for example in the
> >     vacation message) which will be executed when restoring
> >     the database dump. WARNING: database dumps created with
> >     backup.php from 2.3.4 or older might>     
> >              contain malicious SQL. Double-check
> >              before using them!
> >   - fix XSS with $_GET[domain] in templates/menu.php and
> >   edit-vacation - fix XSS in some create-domain input fields
> >   - fix XSS in create-alias and edit-alias error message
> >   - fix XSS (by values stored in the database) in fetchmail list
> >   view, list-domain and list-virtual
> >   - create-domain: fix SQL injection (only exploitable by
> >   superadmins) 
> >   - add missing $LANG['pAdminDelete_admin_error']
> >   - don't mark mailbox targets with recipient delimiter as
> >   "forward only" 
> >   - wrap hex2bin with function_exists()  - PHP 5.3.8 has it 
> >   as native function

> So basically we have two sets of vulnerabilities: multiple SQL
> injections and multiple XSS vulnerabilities, correct?

Yes, correct.
(For completeness: the last 3 items ($LANG, the "forward only" marker 
and the hex2bin change) are non-security fixes.)


Gruß

Christian Boltz
-- 
> /etc/sysconfig/powersave/cpufreq contains the line:
> # the next lover CPU frequency. Increasing this value lowers the
             ^^^^^
we should keep that one ;)
[Michael Gross in https://bugzilla.novell.com/show_bug.cgi?id=183704]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.