Thread: SF.net SVN: postfixadmin:[1673] branches/postfixadmin-2.3 (Page 3)
Brought to you by:
christian_boltz,
gingerdog
From: <chr...@us...> - 2014-05-18 19:52:54
|
Revision: 1673 http://sourceforge.net/p/postfixadmin/code/1673 Author: christian_boltz Date: 2014-05-18 19:52:51 +0000 (Sun, 18 May 2014) Log Message: ----------- edit-mailbox.php: - fix query to enable/disable alias in edit-mailbox for PostgreSQL https://sourceforge.net/p/postfixadmin/bugs/311/ CHANGELOG.TXT: - update for the above fix - add CVE number for the show_gen_status() SQL injection fixed in 2.3.7 Modified Paths: -------------- branches/postfixadmin-2.3/CHANGELOG.TXT branches/postfixadmin-2.3/edit-mailbox.php Modified: branches/postfixadmin-2.3/CHANGELOG.TXT =================================================================== --- branches/postfixadmin-2.3/CHANGELOG.TXT 2014-05-11 23:09:18 UTC (rev 1672) +++ branches/postfixadmin-2.3/CHANGELOG.TXT 2014-05-18 19:52:51 UTC (rev 1673) @@ -10,9 +10,12 @@ # Last update: # $Id$ +Changes since the 2.3.7 release: + - fix query to enable/disable alias in edit-mailbox for PostgreSQL (#311) + Version 2.3.7 - 2014/02/20 - SVN r1651 (postfixadmin-2.3 branch) ---------------------------------------------------------------- - - SECURITY: fix SQL injection in show_gen_status() + - SECURITY: fix SQL injection in show_gen_status() (CVE-2014-2655) - lt.lang, da.lang translation update - when enabling/disabling a mailbox, also update the corresponding alias - fix creating superadmin in setup.php with MariaDB (more strict SQL) Modified: branches/postfixadmin-2.3/edit-mailbox.php =================================================================== --- branches/postfixadmin-2.3/edit-mailbox.php 2014-05-11 23:09:18 UTC (rev 1672) +++ branches/postfixadmin-2.3/edit-mailbox.php 2014-05-18 19:52:51 UTC (rev 1673) @@ -162,7 +162,7 @@ else { db_log ($SESSID_USERNAME, $fDomain, 'edit_mailbox', $fUsername); - $result = db_query ("UPDATE $table_alias SET active=$sqlActive WHERE address='$fUsername' AND domain='$fDomain'"); + $result = db_query ("UPDATE $table_alias SET active='$sqlActive' WHERE address='$fUsername' AND domain='$fDomain'"); if ($result['rows'] != 1) { $error = 1; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <chr...@us...> - 2015-09-28 20:37:55
|
Revision: 1806 http://sourceforge.net/p/postfixadmin/code/1806 Author: christian_boltz Date: 2015-09-28 20:37:53 +0000 (Mon, 28 Sep 2015) Log Message: ----------- templates/users_login.php: - don't prefill username in users/ login on failed logins - fixes (probably harmless) XSS. Thanks to Juan Rossi for reporting this! Modified Paths: -------------- branches/postfixadmin-2.3/CHANGELOG.TXT branches/postfixadmin-2.3/templates/users_login.php Modified: branches/postfixadmin-2.3/CHANGELOG.TXT =================================================================== --- branches/postfixadmin-2.3/CHANGELOG.TXT 2015-09-26 18:54:50 UTC (rev 1805) +++ branches/postfixadmin-2.3/CHANGELOG.TXT 2015-09-28 20:37:53 UTC (rev 1806) @@ -12,6 +12,8 @@ Changes since the 2.3.7 release: - fix query to enable/disable alias in edit-mailbox for PostgreSQL (#311) + - don't prefill username in users/ login on failed logins - fixes (probably + harmless) XSS Version 2.3.7 - 2014/02/20 - SVN r1651 (postfixadmin-2.3 branch) ---------------------------------------------------------------- Modified: branches/postfixadmin-2.3/templates/users_login.php =================================================================== --- branches/postfixadmin-2.3/templates/users_login.php 2015-09-26 18:54:50 UTC (rev 1805) +++ branches/postfixadmin-2.3/templates/users_login.php 2015-09-28 20:37:53 UTC (rev 1806) @@ -7,7 +7,7 @@ </tr> <tr> <td><?php print $PALANG['pUsersLogin_username'] . ":"; ?></td> - <td><input class="flat" type="text" name="fUsername" value="<?php print $tUsername; ?>" /></td> + <td><input class="flat" type="text" name="fUsername" /></td> </tr> <tr> <td><?php print $PALANG['pUsersLogin_password'] . ":"; ?></td> This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <chr...@us...> - 2015-09-28 20:40:19
|
Revision: 1807 http://sourceforge.net/p/postfixadmin/code/1807 Author: christian_boltz Date: 2015-09-28 20:40:17 +0000 (Mon, 28 Sep 2015) Log Message: ----------- debian/control: - allow MariaDB in Debian package dependencies Modified Paths: -------------- branches/postfixadmin-2.3/CHANGELOG.TXT branches/postfixadmin-2.3/debian/control Modified: branches/postfixadmin-2.3/CHANGELOG.TXT =================================================================== --- branches/postfixadmin-2.3/CHANGELOG.TXT 2015-09-28 20:37:53 UTC (rev 1806) +++ branches/postfixadmin-2.3/CHANGELOG.TXT 2015-09-28 20:40:17 UTC (rev 1807) @@ -14,6 +14,7 @@ - fix query to enable/disable alias in edit-mailbox for PostgreSQL (#311) - don't prefill username in users/ login on failed logins - fixes (probably harmless) XSS + - allow MariaDB in Debian package dependencies Version 2.3.7 - 2014/02/20 - SVN r1651 (postfixadmin-2.3 branch) ---------------------------------------------------------------- Modified: branches/postfixadmin-2.3/debian/control =================================================================== --- branches/postfixadmin-2.3/debian/control 2015-09-28 20:37:53 UTC (rev 1806) +++ branches/postfixadmin-2.3/debian/control 2015-09-28 20:40:17 UTC (rev 1807) @@ -8,11 +8,11 @@ Package: postfixadmin Architecture: all -Depends: debconf (>= 0.5), dbconfig-common, wwwconfig-common, apache2 | lighttpd | httpd, libapache2-mod-php5 | php5-cgi | php5, php5-imap, php5-mysql | php5-pgsql, mysql-client | postgresql-client, ${misc:Depends} -Recommends: postfix-mysql | postfix-pgsql, mysql-server | postgresql-server | postgresql +Depends: debconf (>= 0.5), dbconfig-common, wwwconfig-common, apache2 | lighttpd | httpd, libapache2-mod-php5 | php5-cgi | php5, php5-imap, php5-mysql | php5-mysqlnd | php5-pgsql, mysql-client | postgresql-client | mariadb-client, ${misc:Depends} +Recommends: postfix-mysql | postfix-pgsql, mysql-server | postgresql-server | mariadb-server | postgresql Suggests: squirrelmail-postfixadmin, dovecot-common | courier-authlib-mysql | courier-authlib-postgresql Description: Virtual mail hosting interface for Postfix - Postfixadmin is a web interface to managing virtual users and domains + Postfixadmin is a web interface to manage virtual users and domains for a Postfix mail transport agent. The web interface is written in PHP. It supports Virtual mailboxes, aliases, forwarders and vacation. . This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <chr...@us...> - 2015-09-28 20:46:01
|
Revision: 1808 http://sourceforge.net/p/postfixadmin/code/1808 Author: christian_boltz Date: 2015-09-28 20:45:58 +0000 (Mon, 28 Sep 2015) Log Message: ----------- 2.3.8 release - update version number and changelog Modified Paths: -------------- branches/postfixadmin-2.3/CHANGELOG.TXT branches/postfixadmin-2.3/debian/changelog branches/postfixadmin-2.3/functions.inc.php Modified: branches/postfixadmin-2.3/CHANGELOG.TXT =================================================================== --- branches/postfixadmin-2.3/CHANGELOG.TXT 2015-09-28 20:40:17 UTC (rev 1807) +++ branches/postfixadmin-2.3/CHANGELOG.TXT 2015-09-28 20:45:58 UTC (rev 1808) @@ -10,7 +10,8 @@ # Last update: # $Id$ -Changes since the 2.3.7 release: +Version 2.3.8 - 2015/09/29 - SVN r1808 (postfixadmin-2.3 branch) +---------------------------------------------------------------- - fix query to enable/disable alias in edit-mailbox for PostgreSQL (#311) - don't prefill username in users/ login on failed logins - fixes (probably harmless) XSS Modified: branches/postfixadmin-2.3/debian/changelog =================================================================== --- branches/postfixadmin-2.3/debian/changelog 2015-09-28 20:40:17 UTC (rev 1807) +++ branches/postfixadmin-2.3/debian/changelog 2015-09-28 20:45:58 UTC (rev 1808) @@ -1,3 +1,10 @@ +postfixadmin (2.3.8-1) unstable; urgency=low + + * New upstream release (v2.3.8) + * update dependencies to allow mariadb as database + + -- David Goodwin (PalePurple) <da...@pa...> Tue, 29 Sep 2015 09:30:00 +0100 + postfixadmin (2.3.7-1) unstable; urgency=low * New upstream release (v2.3.7) Modified: branches/postfixadmin-2.3/functions.inc.php =================================================================== --- branches/postfixadmin-2.3/functions.inc.php 2015-09-28 20:40:17 UTC (rev 1807) +++ branches/postfixadmin-2.3/functions.inc.php 2015-09-28 20:45:58 UTC (rev 1808) @@ -16,7 +16,7 @@ * Contains re-usable code. */ -$version = '2.3.7'; +$version = '2.3.8'; /** * check_session This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <chr...@us...> - 2015-10-03 09:40:40
|
Revision: 1813 http://sourceforge.net/p/postfixadmin/code/1813 Author: christian_boltz Date: 2015-10-03 09:40:37 +0000 (Sat, 03 Oct 2015) Log Message: ----------- create-mailbox.php - fix escaping in username and name field (again reported by Juan Rossi) admin_create-admin.php - fix escaping in username input field fetchmail.php - fix escaping in input and textarea fields - don't echo back the password to the browser This fixes some harmless XSS which is POST-only and can only be used by authentificated admins to attack themself. Modified Paths: -------------- branches/postfixadmin-2.3/CHANGELOG.TXT branches/postfixadmin-2.3/templates/admin_create-admin.php branches/postfixadmin-2.3/templates/create-mailbox.php branches/postfixadmin-2.3/templates/fetchmail.php Modified: branches/postfixadmin-2.3/CHANGELOG.TXT =================================================================== --- branches/postfixadmin-2.3/CHANGELOG.TXT 2015-10-03 08:58:21 UTC (rev 1812) +++ branches/postfixadmin-2.3/CHANGELOG.TXT 2015-10-03 09:40:37 UTC (rev 1813) @@ -16,6 +16,9 @@ - don't prefill username in users/ login on failed logins - fixes (probably harmless) XSS - fix show_gen_status() to properly escape mail addresses in query (#356) + - fix escaping in create-admin, create-mailbox and fetchmail templates - + fixes (harmless) XSS on form validation errors + - don't echo the password back to the browser in the fetchmail form - allow MariaDB in Debian package dependencies Version 2.3.7 - 2014/02/20 - SVN r1651 (postfixadmin-2.3 branch) Modified: branches/postfixadmin-2.3/templates/admin_create-admin.php =================================================================== --- branches/postfixadmin-2.3/templates/admin_create-admin.php 2015-10-03 08:58:21 UTC (rev 1812) +++ branches/postfixadmin-2.3/templates/admin_create-admin.php 2015-10-03 09:40:37 UTC (rev 1813) @@ -7,7 +7,7 @@ </tr> <tr> <td><?php print $PALANG['pAdminCreate_admin_username'] . ":"; ?></td> - <td><input class="flat" type="text" name="fUsername" value="<?php print $tUsername; ?>" /></td> + <td><input class="flat" type="text" name="fUsername" value="<?php print htmlentities($tUsername); ?>" /></td> <td><?php print $pAdminCreate_admin_username_text; ?></td> </tr> <tr> Modified: branches/postfixadmin-2.3/templates/create-mailbox.php =================================================================== --- branches/postfixadmin-2.3/templates/create-mailbox.php 2015-10-03 08:58:21 UTC (rev 1812) +++ branches/postfixadmin-2.3/templates/create-mailbox.php 2015-10-03 09:40:37 UTC (rev 1813) @@ -12,7 +12,7 @@ </tr> <tr> <td><?php print $PALANG['pCreate_mailbox_username'] . ":"; ?></td> - <td><input class="flat" type="text" name="fUsername" value="<?php print $tUsername; ?>" autocomplete="off"/></td> + <td><input class="flat" type="text" name="fUsername" value="<?php print htmlentities($tUsername); ?>" autocomplete="off"/></td> <td>@ <select name="fDomain"> <?php @@ -44,7 +44,7 @@ </tr> <tr> <td><?php print $PALANG['pCreate_mailbox_name'] . ":"; ?></td> - <td><input class="flat" type="text" name="fName" value="<?php print $tName; ?>" /></td> + <td><input class="flat" type="text" name="fName" value="<?php print htmlentities($tName); ?>" /></td> <td><?php print $pCreate_mailbox_name_text; ?></td> </tr> <?php if ($CONF['quota'] == 'YES') { ?> Modified: branches/postfixadmin-2.3/templates/fetchmail.php =================================================================== --- branches/postfixadmin-2.3/templates/fetchmail.php 2015-10-03 08:58:21 UTC (rev 1812) +++ branches/postfixadmin-2.3/templates/fetchmail.php 2015-10-03 09:40:37 UTC (rev 1813) @@ -120,12 +120,12 @@ function _edit_text($id,$key,$def_vals,$val=""){ $val=htmlspecialchars($val); - return "<input type=text name=${key} id=${id} value='${val}'>"; + return "<input type=text name=${key} id=${id} value='" . htmlentities($val, ENT_QUOTES) . "'>"; } function _edit_password($id,$key,$def_vals,$val=""){ $val=preg_replace("{.}","*",$val); - return "<input type=password name=${key} id=${id} value='${val}'>"; + return "<input type=password name=${key} id=${id} value=''>"; } function _edit_num($id,$key,$def_vals,$val=""){ @@ -143,7 +143,7 @@ function _edit_longtext($id,$key,$def_vals,$val=""){ $val=htmlspecialchars($val); - return "<textarea name=${key} id=${id} rows=2 style='width:20em;'>${val}</textarea>"; + return "<textarea name=${key} id=${id} rows=2 style='width:20em;'>" . htmlentities($val, ENT_QUOTES) . "</textarea>"; } function _edit_enum($id,$key,$def_vals,$val=""){ This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <chr...@us...> - 2015-10-11 19:38:01
|
Revision: 1819 http://sourceforge.net/p/postfixadmin/code/1819 Author: christian_boltz Date: 2015-10-11 19:37:59 +0000 (Sun, 11 Oct 2015) Log Message: ----------- create-mailbox.php: - enforce $CONF[min_password_length] reported by voytek eymont in https://sourceforge.net/p/postfixadmin/discussion/676076/thread/914cf02e/ Modified Paths: -------------- branches/postfixadmin-2.3/CHANGELOG.TXT branches/postfixadmin-2.3/create-mailbox.php Modified: branches/postfixadmin-2.3/CHANGELOG.TXT =================================================================== --- branches/postfixadmin-2.3/CHANGELOG.TXT 2015-10-07 19:44:38 UTC (rev 1818) +++ branches/postfixadmin-2.3/CHANGELOG.TXT 2015-10-11 19:37:59 UTC (rev 1819) @@ -10,6 +10,10 @@ # Last update: # $Id$ +Changes since the 2.3.8 release +------------------------------- + - enforce $CONF[min_password_length] in create-mailbox + Version 2.3.8 - 2015/10/07 - SVN r1814 (postfixadmin-2.3 branch) ---------------------------------------------------------------- - fix query to enable/disable alias in edit-mailbox for PostgreSQL (#311) Modified: branches/postfixadmin-2.3/create-mailbox.php =================================================================== --- branches/postfixadmin-2.3/create-mailbox.php 2015-10-07 19:44:38 UTC (rev 1818) +++ branches/postfixadmin-2.3/create-mailbox.php 2015-10-11 19:37:59 UTC (rev 1819) @@ -129,6 +129,12 @@ $tDomain = $fDomain; $pCreate_mailbox_password_text = $PALANG['pCreate_mailbox_password_text_error']; } + } else { + $min_length = $CONF['min_password_length']; + if($min_length > 0 && strlen($fPassword) < $min_length) { + flash_error(sprintf($PALANG['pPasswordTooShort'], $CONF['min_password_length'])); + $error = 1; + } } if ($CONF['quota'] == "YES") This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |