CVE request: PostfixAdmin SQL injections and XSS

[Christian Boltz <oss-securrity () cboltz de>]

Hello,

we (the upstream PostfixAdmin developers) received a report about SQL
injections and XSS in PostfixAdmin. 

Please assign a CVE number to those issues.

The issues are fixed in PostfixAdmin 2.3.5, which I'll release today or 
tomorrow.


For reference, here's the changelog with all details:

  - fix SQL injection in pacrypt() (if $CONF[encrypt] == 'mysql_encrypt')
  - fix SQL injection in backup.php - the dump was not mysql_escape()d, 
    therefore users could inject SQL (for example in the vacation message)
    which will be executed when restoring the database dump.
    WARNING: database dumps created with backup.php from 2.3.4 or older might
             contain malicious SQL. Double-check before using them!
  - fix XSS with $_GET[domain] in templates/menu.php and edit-vacation
  - fix XSS in some create-domain input fields
  - fix XSS in create-alias and edit-alias error message
  - fix XSS (by values stored in the database) in fetchmail list view,
    list-domain and list-virtual
  - create-domain: fix SQL injection (only exploitable by superadmins)
  - add missing $LANG['pAdminDelete_admin_error']
  - don't mark mailbox targets with recipient delimiter as "forward only"
  - wrap hex2bin with function_exists() - PHP 5.3.8 has it as native function

If you are interested in the exact code changes, run
    svn diff -r 1180:1335 https://postfixadmin.svn.sourceforge.net/svnroot/postfixadmin/branches/postfixadmin-2.3


Severity: that's a good question, please judge yourself ;-)

The most critical part is probably the SQL injection in pacrypt() because it is
used in the login form, which means it's available to non-authentificated
users. On the positive side, I'd guess the mysql_encrypt encryption method is
used rarely.

The affected code in pacrypt() is ($pw was not escaped, $salt comes from the
database (the first 2 characters of the current hashed password)):
            $res=db_query("SELECT ENCRYPT('".$pw."','".$salt."');");
or when hashing a new password
            $res=db_query("SELECT ENCRYPT('".$pw."');");

db_query() is a wrapper that uses (depending on the configured database)
mysql_query, mysqli_query or pg_query.

The other issues are limited to authentificated users.


Gruß

Christian Boltz
-- 
> So, Helm aufsetz und auf Steine wart ...
*werf*
*Steine! Flache Steine! Runde Steine! Grosse Steine! Kleine Steine!*
*Wer will noch mal, wer hat noch nicht?*
[> Manfred Tremmel und David Haller in suse-linux]