[ postfixadmin-Bugs-3412484 ] Possible SQL injection in create_admin
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
[ postfixadmin-Bugs-3412484 ] Possible SQL injection in create_admin
|
From: SourceForge.net <no...@so...> - 2011-09-21 18:31:32
|
Bugs item #3412484, was opened at 2011-09-21 13:31 Message generated for change (Tracker Item Submitted) made by msbethke You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=3412484&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: v2.3.3 Status: Open Resolution: None Priority: 5 Private: No Submitted By: Matthias Bethke (msbethke) Assigned to: Nobody/Anonymous (nobody) Summary: Possible SQL injection in create_admin Initial Comment: The fDomains parameter to create_admin() is taken from POST data and interpolated in SQL without santitizing it, posing the risk of an SQL injection attack. The risk is probably low as the function is only available to global admins but even then they shouldn't be able to screw up the database or exploit further vulnerabilities in the DBMS. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=3412484&group_id=191583 |
