Re: CVE request: PostfixAdmin SQL injections and XSS

[Kurt Seifried <kseifried () redhat com>]

> > > Please assign a CVE number to those issues.
> > >
> > > The issues are fixed in PostfixAdmin 2.3.5, which I'll release
> > > today or tomorrow.
> > >
> > > For reference, here's the changelog with all details:
> > >   - fix SQL injection in pacrypt() (if $CONF[encrypt] ==
> > >   'mysql_encrypt') 
> > >   - fix SQL injection in backup.php - the dump
> > >   was not mysql_escape()d,>   
> > >     therefore users could inject SQL (for example in the
> > >     vacation message) which will be executed when restoring
> > >     the database dump. WARNING: database dumps created with
> > >     backup.php from 2.3.4 or older might>     
> > >              contain malicious SQL. Double-check
> > >              before using them!

Please use CVE-2012-0811 for PostfixAdmin 2.3.4 multiple SQL vulnerabilities

> > >   - fix XSS with $_GET[domain] in templates/menu.php and
> > >   edit-vacation - fix XSS in some create-domain input fields
> > >   - fix XSS in create-alias and edit-alias error message
> > >   - fix XSS (by values stored in the database) in fetchmail list

Please use CVE-2012-0812 for PostfixAdmin 2.3.4 multiple XSS
vulnerabilities

> > So basically we have two sets of vulnerabilities: multiple SQL
> > injections and multiple XSS vulnerabilities, correct?
>
> Yes, correct.
> (For completeness: the last 3 items ($LANG, the "forward only" marker 
> and the hex2bin change) are non-security fixes.)
>
>
> Gruß
>
> Christian Boltz

Thanks.


-- 
Kurt Seifried Red Hat Security Response Team (SRT)