[ postfixadmin-Bugs-3412484 ] Possible SQL injection in create_admin
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
[ postfixadmin-Bugs-3412484 ] Possible SQL injection in create_admin
|
From: SourceForge.net <no...@so...> - 2011-09-22 23:09:02
|
Bugs item #3412484, was opened at 2011-09-21 20:31 Message generated for change (Comment added) made by christian_boltz You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=3412484&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: v2.3.3 >Status: Closed >Resolution: Fixed Priority: 5 Private: No Submitted By: Matthias Bethke (msbethke) Assigned to: Nobody/Anonymous (nobody) Summary: Possible SQL injection in create_admin Initial Comment: The fDomains parameter to create_admin() is taken from POST data and interpolated in SQL without santitizing it, posing the risk of an SQL injection attack. The risk is probably low as the function is only available to global admins but even then they shouldn't be able to screw up the database or exploit further vulnerabilities in the DBMS. ---------------------------------------------------------------------- >Comment By: Christian Boltz (christian_boltz) Date: 2011-09-23 01:09 Message: Could you report such issues a day before a release instead of a day after the (2.3.4) release next time, please? (Just kidding ;-) Seriously: Good catch, thanks for reporting it! Fixed in - 2.3 branch in SVN r1185, the fix will be in 2.3.5 (which we'll probably release soon, thanks to your bugreport ;-) - SVN trunk r1186 ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=3412484&group_id=191583 |
