Re: [Postfixadmin-devel] Fwd: Vulnerabilities in postfixadmin 2.3.4
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
Re: [Postfixadmin-devel] Fwd: Vulnerabilities in postfixadmin 2.3.4
|
From: Christian B. <pos...@cb...> - 2012-01-10 20:33:07
|
Hello,
Am Dienstag, 10. Januar 2012 schrieb David Goodwin:
> I've fixed the problems in backup.php, edit-vacation.php (and
> template/smenu.php) and functions.inc.php
>
> Can you confirm/test my changes please?
Done, see inline comments below.
We should release 2.3.5 in the next days to get those fixes out...
> Begin forwarded message:
> > From: Filippo Cavallarin <no...@so...>
> > 1) SQL injection in pacrypt function: if postfixadmin is
> > configured with \'mysql_encrypt\' the pacrypt function passes the
> > $pw parameter to sql query without santitzing it allowing non-
> > admin users to perform sql injection attacks.
Fix confirmed (by reading the diff)
We'll also need this fix in trunk.
> > 2) SQL injection in sql dump generated by backup.php: the
> > backup.php file generates sql queries without sanitizing values.
> > A non-admin user can inject arbitrary sql commands into backup
> > file that will be executed when an admin restores that backup. To
> > test this issue try to set the vacation message of any user to:
Issue and fix confirmed (by testing with the old and new version).
We'll also need this fix in trunk. (Unfortunately your commit included
lots of whitespace changes, which makes the diff very hard to read.)
> > 3) Multiple XSS and lack of CSRF protection: I found several XSS
> > in postfixadmin code. I noted from postfixadmin homepage that you
> > planned to merge it with Smarty wich could provide a good
> > protection against XSS and CSRF.
Yes, see SVN trunk if you want to test it.
The move to Smarty is done (with a small exception in fetchmail.php).
We are moving lots of things to PHP classes which reduces the code size
and unifies the handling of forms, SQL queries etc. as much as possible.
(This part is not completed yet.)
> > Input passed via domain GET parameter to edit-vacation.php is not
> > properly sanitised before being returned to the user.
> > http://127.0.0.1/postfixadmin-2.3.4/edit-vacation.php?domain=dontc
> > are</script> <script>alert(1);</script>
Your fix urlencode()d $fCanceltarget, which was too secure ;-) - it
resulted in a 404 error when clicking the "Exit" button because the "?"
was also encoded. I changed it to only encode $fDomain.
After doing that: fix confirmed by testing.
vacation.php from trunk is not affected.
> > Input passed via fDomain POST parameter to create-domain.php is
> > not properly sanitised before being returned to the user.
> > This is interesting because the fDomain variable is passed to
> > strip_tags so something like on<a>click is trasformed to onclik.
> > This allows to bypass browsers builtin XSS protection. To test
> > this issue put the following string as Domain parameter in
> > create-domain.php, submit the form and then click on Domain\'s
> > input text..
> >
> > dontcare\" oncli<a>ck=alert(document.cookie);//
Very interesting bug :-/
I commited a fix for it and also confirmed the issue and the fix by
testing.
edit.php from trunk (which replaces create-domain and many more) is not
affected.
Filippo, thanks for reporting these issues!
You can checkout the 2.3 branch with
svn co \
https://postfixadmin.svn.sourceforge.net/svnroot/postfixadmin/branches/postfixadmin-2.3
if you want to confirm the fixes yourself.
Regards,
Christian Boltz
--
my_hdr X-MSMail-Priority: Normal
my_hdr X-Mailer: Microsoft Outlook Express 5.50.4133.2400
my_hdr X-MimeOLE: Produced by Microsoft MimeOLE V5.50.4133.2400
unset user_agent
set attribution="----- Original Message -----\n\From: %n
<%a>\n\%t\n\Sent: %d\n\Subject: %s"
...und schon benutzt man OE. Mach das mal mit KMail. ;-))))
[Andreas Kneib über mutt in suse-linux]
|
