SF.net SVN: postfixadmin:[1673] branches/postfixadmin-2.3

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 1673
          http://sourceforge.net/p/postfixadmin/code/1673
Author:   christian_boltz
Date:     2014-05-18 19:52:51 +0000 (Sun, 18 May 2014)
Log Message:
-----------
edit-mailbox.php:
- fix query to enable/disable alias in edit-mailbox for PostgreSQL
  https://sourceforge.net/p/postfixadmin/bugs/311/

CHANGELOG.TXT:
- update for the above fix
- add CVE number for the show_gen_status() SQL injection fixed in 2.3.7

Modified Paths:
--------------
    branches/postfixadmin-2.3/CHANGELOG.TXT
    branches/postfixadmin-2.3/edit-mailbox.php

Modified: branches/postfixadmin-2.3/CHANGELOG.TXT
===================================================================

--- branches/postfixadmin-2.3/CHANGELOG.TXT	2014-05-11 23:09:18 UTC (rev 1672)
+++ branches/postfixadmin-2.3/CHANGELOG.TXT	2014-05-18 19:52:51 UTC (rev 1673)
@@ -10,9 +10,12 @@
 # Last update:
 # $Id$
 
+Changes since the 2.3.7 release:
+  - fix query to enable/disable alias in edit-mailbox for PostgreSQL (#311)
+
 Version 2.3.7 - 2014/02/20 - SVN r1651 (postfixadmin-2.3 branch)
 ----------------------------------------------------------------
-  - SECURITY: fix SQL injection in show_gen_status()
+  - SECURITY: fix SQL injection in show_gen_status() (CVE-2014-2655)
   - lt.lang, da.lang translation update
   - when enabling/disabling a mailbox, also update the corresponding alias
   - fix creating superadmin in setup.php with MariaDB (more strict SQL)

Modified: branches/postfixadmin-2.3/edit-mailbox.php
===================================================================
--- branches/postfixadmin-2.3/edit-mailbox.php	2014-05-11 23:09:18 UTC (rev 1672)
+++ branches/postfixadmin-2.3/edit-mailbox.php	2014-05-18 19:52:51 UTC (rev 1673)
@@ -162,7 +162,7 @@
       else {
          db_log ($SESSID_USERNAME, $fDomain, 'edit_mailbox', $fUsername);
 
-         $result = db_query ("UPDATE $table_alias SET active=$sqlActive WHERE address='$fUsername' AND domain='$fDomain'");
+         $result = db_query ("UPDATE $table_alias SET active='$sqlActive' WHERE address='$fUsername' AND domain='$fDomain'");
          if ($result['rows'] != 1)
          {
             $error = 1;

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.



