SF.net SVN: postfixadmin:[1813] branches/postfixadmin-2.3

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 1813
          http://sourceforge.net/p/postfixadmin/code/1813
Author:   christian_boltz
Date:     2015-10-03 09:40:37 +0000 (Sat, 03 Oct 2015)
Log Message:
-----------
create-mailbox.php
- fix escaping in username and name field
  (again reported by Juan Rossi)

admin_create-admin.php
- fix escaping in username input field

fetchmail.php
- fix escaping in input and textarea fields
- don't echo back the password to the browser

This fixes some harmless XSS which is POST-only and can only be used
by authentificated admins to attack themself.

Modified Paths:
--------------
    branches/postfixadmin-2.3/CHANGELOG.TXT
    branches/postfixadmin-2.3/templates/admin_create-admin.php
    branches/postfixadmin-2.3/templates/create-mailbox.php
    branches/postfixadmin-2.3/templates/fetchmail.php

Modified: branches/postfixadmin-2.3/CHANGELOG.TXT
===================================================================

--- branches/postfixadmin-2.3/CHANGELOG.TXT	2015-10-03 08:58:21 UTC (rev 1812)
+++ branches/postfixadmin-2.3/CHANGELOG.TXT	2015-10-03 09:40:37 UTC (rev 1813)
@@ -16,6 +16,9 @@
   - don't prefill username in users/ login on failed logins - fixes (probably
     harmless) XSS
   - fix show_gen_status() to properly escape mail addresses in query (#356)
+  - fix escaping in create-admin, create-mailbox and fetchmail templates -
+    fixes (harmless) XSS on form validation errors
+  - don't echo the password back to the browser in the fetchmail form
   - allow MariaDB in Debian package dependencies
 
 Version 2.3.7 - 2014/02/20 - SVN r1651 (postfixadmin-2.3 branch)

Modified: branches/postfixadmin-2.3/templates/admin_create-admin.php
===================================================================
--- branches/postfixadmin-2.3/templates/admin_create-admin.php	2015-10-03 08:58:21 UTC (rev 1812)
+++ branches/postfixadmin-2.3/templates/admin_create-admin.php	2015-10-03 09:40:37 UTC (rev 1813)
@@ -7,7 +7,7 @@
    </tr>
    <tr>
       <td><?php print $PALANG['pAdminCreate_admin_username'] . ":"; ?></td>
-      <td><input class="flat" type="text" name="fUsername" value="<?php print $tUsername; ?>" /></td>
+      <td><input class="flat" type="text" name="fUsername" value="<?php print htmlentities($tUsername); ?>" /></td>
       <td><?php print $pAdminCreate_admin_username_text; ?></td>
    </tr>
    <tr>

Modified: branches/postfixadmin-2.3/templates/create-mailbox.php
===================================================================
--- branches/postfixadmin-2.3/templates/create-mailbox.php	2015-10-03 08:58:21 UTC (rev 1812)
+++ branches/postfixadmin-2.3/templates/create-mailbox.php	2015-10-03 09:40:37 UTC (rev 1813)
@@ -12,7 +12,7 @@
    </tr>
    <tr>
       <td><?php print $PALANG['pCreate_mailbox_username'] . ":"; ?></td>
-      <td><input class="flat" type="text" name="fUsername" value="<?php print $tUsername; ?>" autocomplete="off"/></td>
+      <td><input class="flat" type="text" name="fUsername" value="<?php print htmlentities($tUsername); ?>" autocomplete="off"/></td>
       <td>@
       <select name="fDomain">
       <?php
@@ -44,7 +44,7 @@
    </tr>
    <tr>
       <td><?php print $PALANG['pCreate_mailbox_name'] . ":"; ?></td>
-      <td><input class="flat" type="text" name="fName" value="<?php print $tName; ?>" /></td>
+      <td><input class="flat" type="text" name="fName" value="<?php print htmlentities($tName); ?>" /></td>
       <td><?php print $pCreate_mailbox_name_text; ?></td>
    </tr>
    <?php if ($CONF['quota'] == 'YES') { ?>

Modified: branches/postfixadmin-2.3/templates/fetchmail.php
===================================================================
--- branches/postfixadmin-2.3/templates/fetchmail.php	2015-10-03 08:58:21 UTC (rev 1812)
+++ branches/postfixadmin-2.3/templates/fetchmail.php	2015-10-03 09:40:37 UTC (rev 1813)
@@ -120,12 +120,12 @@
 
 function _edit_text($id,$key,$def_vals,$val=""){
    $val=htmlspecialchars($val);
-   return "<input type=text name=${key} id=${id} value='${val}'>";
+   return "<input type=text name=${key} id=${id} value='" . htmlentities($val, ENT_QUOTES) . "'>";
 }
 
 function _edit_password($id,$key,$def_vals,$val=""){
    $val=preg_replace("{.}","*",$val);
-   return "<input type=password name=${key} id=${id} value='${val}'>";
+   return "<input type=password name=${key} id=${id} value=''>";
 }
 
 function _edit_num($id,$key,$def_vals,$val=""){
@@ -143,7 +143,7 @@
 
 function _edit_longtext($id,$key,$def_vals,$val=""){
    $val=htmlspecialchars($val);
-   return "<textarea name=${key} id=${id}  rows=2 style='width:20em;'>${val}</textarea>";
+   return "<textarea name=${key} id=${id}  rows=2 style='width:20em;'>" . htmlentities($val, ENT_QUOTES) . "</textarea>";
 }
 
 function _edit_enum($id,$key,$def_vals,$val=""){

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.



