Re: [Postfixadmin-devel] Vulnerabilities in postfixadmin 2.3.4
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
Re: [Postfixadmin-devel] Vulnerabilities in postfixadmin 2.3.4
|
From: David G. <da...@co...> - 2012-01-10 22:55:45
|
<snip/>
backup.php :
Change :
- foreach ($row as $key=>$val)
- {
- $fields[] = $key;
- $values[] = $val;
- }
To :
+ $fields = array_keys($row);
+ $values = array_values($row);
+ $values = array_map('escape_string', $values);
See changeset/revision 1326.
thanks
David.
> Issue and fix confirmed (by testing with the old and new version).
>
> We'll also need this fix in trunk. (Unfortunately your commit included
> lots of whitespace changes, which makes the diff very hard to read.)
>
>>> 3) Multiple XSS and lack of CSRF protection: I found several XSS
>>> in postfixadmin code. I noted from postfixadmin homepage that you
>>> planned to merge it with Smarty wich could provide a good
>>> protection against XSS and CSRF.
>
> Yes, see SVN trunk if you want to test it.
>
> The move to Smarty is done (with a small exception in fetchmail.php).
>
> We are moving lots of things to PHP classes which reduces the code size
> and unifies the handling of forms, SQL queries etc. as much as possible.
> (This part is not completed yet.)
>
>>> Input passed via domain GET parameter to edit-vacation.php is not
>>> properly sanitised before being returned to the user.
>>> http://127.0.0.1/postfixadmin-2.3.4/edit-vacation.php?domain=dontc
>>> are</script> <script>alert(1);</script>
>
> Your fix urlencode()d $fCanceltarget, which was too secure ;-) - it
> resulted in a 404 error when clicking the "Exit" button because the "?"
> was also encoded. I changed it to only encode $fDomain.
>
> After doing that: fix confirmed by testing.
>
> vacation.php from trunk is not affected.
>
>>> Input passed via fDomain POST parameter to create-domain.php is
>>> not properly sanitised before being returned to the user.
>>> This is interesting because the fDomain variable is passed to
>>> strip_tags so something like on<a>click is trasformed to onclik.
>>> This allows to bypass browsers builtin XSS protection. To test
>>> this issue put the following string as Domain parameter in
>>> create-domain.php, submit the form and then click on Domain\'s
>>> input text..
>>>
>>> dontcare\" oncli<a>ck=alert(document.cookie);//
>
> Very interesting bug :-/
>
> I commited a fix for it and also confirmed the issue and the fix by
> testing.
>
> edit.php from trunk (which replaces create-domain and many more) is not
> affected.
>
>
>
> Filippo, thanks for reporting these issues!
>
> You can checkout the 2.3 branch with
> svn co \
> https://postfixadmin.svn.sourceforge.net/svnroot/postfixadmin/branches/postfixadmin-2.3
> if you want to confirm the fixes yourself.
>
>
>
> Regards,
>
> Christian Boltz
> --
> my_hdr X-MSMail-Priority: Normal
> my_hdr X-Mailer: Microsoft Outlook Express 5.50.4133.2400
> my_hdr X-MimeOLE: Produced by Microsoft MimeOLE V5.50.4133.2400
> unset user_agent
> set attribution="----- Original Message -----\n\From: %n
> <%a>\n\%t\n\Sent: %d\n\Subject: %s"
> ...und schon benutzt man OE. Mach das mal mit KMail. ;-))))
> [Andreas Kneib über mutt in suse-linux]
>
>
> ------------------------------------------------------------------------------
> Write once. Port to many.
> Get the SDK and tools to simplify cross-platform app development. Create
> new or port existing apps to sell to consumers worldwide. Explore the
> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
> http://p.sf.net/sfu/intel-appdev
> _______________________________________________
> Postfixadmin-devel mailing list
> Pos...@li...
> https://lists.sourceforge.net/lists/listinfo/postfixadmin-devel
|
