Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Jan 2012 13:54:12 -0700
From: Kurt Seifried <>
CC: Christian Boltz <>
Subject: Re: CVE request: PostfixAdmin SQL injections and XSS

>>> Please assign a CVE number to those issues.
>>> The issues are fixed in PostfixAdmin 2.3.5, which I'll release
>>> today or tomorrow.
>>> For reference, here's the changelog with all details:
>>>   - fix SQL injection in pacrypt() (if $CONF[encrypt] ==
>>>   'mysql_encrypt') 
>>>   - fix SQL injection in backup.php - the dump
>>>   was not mysql_escape()d,>   
>>>     therefore users could inject SQL (for example in the
>>>     vacation message) which will be executed when restoring
>>>     the database dump. WARNING: database dumps created with
>>>     backup.php from 2.3.4 or older might>     
>>>              contain malicious SQL. Double-check
>>>              before using them!

Please use CVE-2012-0811 for PostfixAdmin 2.3.4 multiple SQL vulnerabilities

>>>   - fix XSS with $_GET[domain] in templates/menu.php and
>>>   edit-vacation - fix XSS in some create-domain input fields
>>>   - fix XSS in create-alias and edit-alias error message
>>>   - fix XSS (by values stored in the database) in fetchmail list

Please use CVE-2012-0812 for PostfixAdmin 2.3.4 multiple XSS

>> So basically we have two sets of vulnerabilities: multiple SQL
>> injections and multiple XSS vulnerabilities, correct?
> Yes, correct.
> (For completeness: the last 3 items ($LANG, the "forward only" marker 
> and the hex2bin change) are non-security fixes.)
> Gruß
> Christian Boltz


Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.