Date: Thu, 26 Jan 2012 12:07:12 +0100 From: Christian Boltz <oss-securrity@...ltz.de> To: oss-security@...ts.openwall.com Subject: CVE request: PostfixAdmin SQL injections and XSS Hello, we (the upstream PostfixAdmin developers) received a report about SQL injections and XSS in PostfixAdmin. Please assign a CVE number to those issues. The issues are fixed in PostfixAdmin 2.3.5, which I'll release today or tomorrow. For reference, here's the changelog with all details: - fix SQL injection in pacrypt() (if $CONF[encrypt] == 'mysql_encrypt') - fix SQL injection in backup.php - the dump was not mysql_escape()d, therefore users could inject SQL (for example in the vacation message) which will be executed when restoring the database dump. WARNING: database dumps created with backup.php from 2.3.4 or older might contain malicious SQL. Double-check before using them! - fix XSS with $_GET[domain] in templates/menu.php and edit-vacation - fix XSS in some create-domain input fields - fix XSS in create-alias and edit-alias error message - fix XSS (by values stored in the database) in fetchmail list view, list-domain and list-virtual - create-domain: fix SQL injection (only exploitable by superadmins) - add missing $LANG['pAdminDelete_admin_error'] - don't mark mailbox targets with recipient delimiter as "forward only" - wrap hex2bin with function_exists() - PHP 5.3.8 has it as native function If you are interested in the exact code changes, run svn diff -r 1180:1335 https://postfixadmin.svn.sourceforge.net/svnroot/postfixadmin/branches/postfixadmin-2.3 Severity: that's a good question, please judge yourself ;-) The most critical part is probably the SQL injection in pacrypt() because it is used in the login form, which means it's available to non-authentificated users. On the positive side, I'd guess the mysql_encrypt encryption method is used rarely. The affected code in pacrypt() is ($pw was not escaped, $salt comes from the database (the first 2 characters of the current hashed password)): $res=db_query("SELECT ENCRYPT('".$pw."','".$salt."');"); or when hashing a new password $res=db_query("SELECT ENCRYPT('".$pw."');"); db_query() is a wrapper that uses (depending on the configured database) mysql_query, mysqli_query or pg_query. The other issues are limited to authentificated users. Gruß Christian Boltz -- >So, Helm aufsetz und auf Steine wart ... *werf* *Steine! Flache Steine! Runde Steine! Grosse Steine! Kleine Steine!* *Wer will noch mal, wer hat noch nicht?* [> Manfred Tremmel und David Haller in suse-linux]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.