Re: CVE request: PostfixAdmin SQL injections and XSS

[Kurt Seifried <kseifried () redhat com>]

On 01/26/2012 04:07 AM, Christian Boltz wrote:
> Hello,
>
> we (the upstream PostfixAdmin developers) received a report about SQL
> injections and XSS in PostfixAdmin. 
>
> Please assign a CVE number to those issues.
>
> The issues are fixed in PostfixAdmin 2.3.5, which I'll release today or 
> tomorrow.
>
>
> For reference, here's the changelog with all details:
>
>   - fix SQL injection in pacrypt() (if $CONF[encrypt] == 'mysql_encrypt')
>   - fix SQL injection in backup.php - the dump was not mysql_escape()d, 
>     therefore users could inject SQL (for example in the vacation message)
>     which will be executed when restoring the database dump.
>     WARNING: database dumps created with backup.php from 2.3.4 or older might
>              contain malicious SQL. Double-check before using them!
>   - fix XSS with $_GET[domain] in templates/menu.php and edit-vacation
>   - fix XSS in some create-domain input fields
>   - fix XSS in create-alias and edit-alias error message
>   - fix XSS (by values stored in the database) in fetchmail list view,
>     list-domain and list-virtual
>   - create-domain: fix SQL injection (only exploitable by superadmins)
>   - add missing $LANG['pAdminDelete_admin_error']
>   - don't mark mailbox targets with recipient delimiter as "forward only"
>   - wrap hex2bin with function_exists() - PHP 5.3.8 has it as native function


So basically we have two sets of vulnerabilities: multiple SQL
injections and multiple XSS vulnerabilities, correct?


> Gruß
>
> Christian Boltz


-- 
Kurt Seifried Red Hat Security Response Team (SRT)