[ postfixadmin-Bugs-3473826 ] Multiple security vulnerabilities
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
[ postfixadmin-Bugs-3473826 ] Multiple security vulnerabilities
|
From: SourceForge.net <no...@so...> - 2012-01-14 21:19:05
|
Bugs item #3473826, was opened at 2012-01-14 09:35 Message generated for change (Comment added) made by christian_boltz You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=3473826&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: v2.3.4 Status: Open Resolution: None Priority: 9 >Private: Yes Submitted By: Matthias Bethke (msbethke) Assigned to: Nobody/Anonymous (nobody) Summary: Multiple security vulnerabilities Initial Comment: 1) SQL injection in pacrypt function: if postfixadmin is configured with 'mysql_encrypt', the pacrypt() function passes the $pw parameter to SQL query without sanitzing it, allowing non-admin users (even unauthenticated ones) to perform SQL injection attacks. 2) SQL injection in SQL dump generated by backup.php: the backup.php file generates SQL queries without sanitizing values. A non-admin user can inject arbitrary sql commands into backup file that will be executed when an admin restores that backup. To test this issue, try to set the vacation message of any user to: dontcare\',\'\',\'dominio.com\',\'2012-01-09 17:34:06\',\'1\'); INSERT INTO admin (username,password,created,modified,active) VALUES (\'so...@em...\',\'$1$2cab7a19$zIuOsr6PXksCu13883fVg/\',\'2012-01-08 15:48:19\',\'2012-01-09 17:17:55\',\'1\'); # then take a backup and restore it, the new admin so...@em... is added to admin table. 3) Multiple XSS and lack of CSRF protection¹: I found several XSS in postfixadmin code. I noted from postfixadmin homepage that you planned to merge it with Smarty wich could provide a good protection against XSS and CSRF. BTW i report you some: Input passed via domain GET parameter to edit-vacation.php is not properly sanitised before being returned to the user. http://127.0.0.1/postfixadmin-2.3.4/edit-vacation.php?domain=dontcare</script><script>alert(1);</script> Input passed via fDomain POST parameter to create-domain.php is not properly sanitized before being returned to the user. This is interesting because the fDomain variable is passed to strip_tags so something like on<a>click is transformed to onclick. This allows to bypass browsers builtin XSS protection. To test this issue put the following string as Domain parameter in create-domain.php, submit the form and then click on Domain's input text.. dontcare\" oncli<a>ck=alert(document.cookie);// Note: Credits for these discoveries belong to Filippo Cavallarin. I'm passing on his mail with just minor edits that for some reason seems to have reached me but not this bug tracker. ---------------------------------------------------------------------- >Comment By: Christian Boltz (christian_boltz) Date: 2012-01-14 13:19 Message: He also mailed David and me, and we discussed the issues (mostly) in private mails. We already fixed the SQL injections and XSS in SVN and will release PostfixAdmin 2.3.5 in the next days. CSRF protection will cause some more work (and I consider it less critical than the SQL injections and XSS), which also means we will first release 2.3.5 to fix the most serious issues. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=3473826&group_id=191583 |
