PostfixAdmin 2.3.5 released

2012-01-27
2013-01-23
  • Hello,

    I just released PostfixAdmin 2.3.5 which is a security update that fixes some SQL injections (CVE-2012-0811) and XSS vulnerabilities (CVE-2012-0812).

    Credits go to Filippo Cavallarin for finding most of the vulnerabilities and notifying us.
    The only exception is "create-domain: fix SQL injection (only exploitable by superadmins)" which was found by Matthias Bethke.

    Be warned that backups created with backup.php from 2.3.4 and earlier can contain SQL injections that will be executed when you restore the backup. In other words: Double-check old backups before restoring them!

    If you are using the PostfixAdmin package that comes with openSUSE 12.1, a security update will be available in the next days.

    For reference, here's the full changelog for 2.3.5:

      - fix SQL injection in pacrypt() (if $CONF == 'mysql_encrypt')
      - fix SQL injection in backup.php - the dump was not mysql_escape()d,
        therefore users could inject SQL (for example in the vacation message)
        which will be executed when restoring the database dump.
        WARNING: database dumps created with backup.php from 2.3.4 or older might
                 contain malicious SQL. Double-check before using them!
      - fix XSS with $_GET in templates/menu.php and edit-vacation
      - fix XSS in some create-domain input fields
      - fix XSS in create-alias and edit-alias error message
      - fix XSS (by values stored in the database) in fetchmail list view,
        list-domain and list-virtual
      - create-domain: fix SQL injection (only exploitable by superadmins)
      - add missing $LANG
      - don't mark mailbox targets with recipient delimiter as "forward only"
      - wrap hex2bin with function_exists() - PHP 5.3.8 has it as native function

     
  • xonix84
    xonix84
    2012-02-02

    Hello,
    I possible found a bug

     
  • GingerDog
    GingerDog
    2012-02-02

    Hi,
    I'd guess there's some weird encoding going on there - what version of PHP are you using? What does the data within the database (via phpmyadmin) look like?

     
  • xonix84
    xonix84
    2012-02-02

    PHP Version 5.3.9
    MySQL  Encoding UTF8
    Collation utf8_general_ci
    PostfixAdmin 2.3.4 works fine.

     
  • xonix84
    xonix84
    2012-02-02

    By the way, in phpmyadmin i see this fields correctly.

     
  • Looks like I should include some non-ASCII domain and mailbox descriptions in my test data ;-)

    Wild guess, not really tested:

    Edit templates/list-virtual.php line 317
    replace
        print "      <td>" . htmlentities($tMailbox) . "</td>\n";
    with
        print "      <td>" . htmlentities($tMailbox, ENT_QUOTES, 'UTF-8') . "</td>\n";

    Does this solve the issue for you? (Note it will only change listing mailboxes in list-virtual.)

    You probably need to do a similar change for list-domain.
    Edit templates/admin_list-domain.php and change line 53 to
        print "<td>" . htmlentities($domain_properties, ENT_QUOTES, 'UTF-8') . "</td>";

     
  • Tomas
    Tomas
    2012-02-02

    I had similar problem with some national characters and can confirm that changing templates/list-virtual.php and templates/admin_list-domain.php solved it.

    Just hope that these changes wouldn't be necessary after every postfixadmin release :)

     
  • It's a regression caused by the security fixes in 2.3.5 - in other words: no, this won't be necessary in every release ;-)

    I just commited the fix to the 2.3 branch. I doubt we'll do another release just to fix this, but 2.3.6 (whenever we release it) will contain the fix.

     
  • Artem
    Artem
    2012-02-04

    Thanks, this solution helped.
    Thank you for your work on postfixadmin.

     
  • Alex Sml
    Alex Sml
    2012-11-20

    Thanks, this help me to view national characters in name field.

    But I have another problem: when I enter national characters in search field, I see error:
    Invalid query: Illegal mix of collations (latin1_general_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation 'like'
    All characterset variables in mysql are set to utf8.
    I was changed every LIKE '%$fSearch%' to LIKE '%$fSearch%' collate utf8_general_ci in search.php and this solved the problem with search for me.
    Hope next postfixadmin release will be fixed.