oss-sec mailing list archives
CVE request: PostfixAdmin allows to delete protected aliases
From: Christian Boltz <oss-security () cboltz de>
Date: Tue, 07 Feb 2017 13:52:23 +0100
Hello, [I'm not subscribed, so please CC me in your replies.] I'd like to request a CVE ID for Postfixadmin. Thanks to a missing permission check, domain admins can delete aliases they are not allowed to delete (for example abuse@, which the server admin might have setup so that he gets all abuse mails). This can only be exploited by authentificated domain admins. See https://github.com/postfixadmin/postfixadmin/pull/23 for a detailed description. Affected versions: - PostfixAdmin 3.0 and 3.0.1 - PostfixAdmin 2.91, 2.92 and 2.93 (which actually are 3.0 beta releases) Older PostfixAdmin releases (2.3.x and older) are not affected. PostfixAdmin 3.0.2 will fix this issue - I'll release it in the next days. Regards, Christian Boltz -- Immerwieder der gleiche Anfaengerfehler: /dev/null ist fuer Backup, /dev/zero ist fuer Restore. [J. P. Meier]
Current thread:
- CVE request: PostfixAdmin allows to delete protected aliases Christian Boltz (Feb 07)
- Re: CVE request: PostfixAdmin allows to delete protected aliases cve-assign (Feb 07)
- Re: CVE request: PostfixAdmin allows to delete protected aliases Christian Boltz (Feb 08)
- Re: CVE request: PostfixAdmin allows to delete protected aliases cve-assign (Feb 07)