postfixadmin SQL injection vulnerability

2014.03.26

Credit: Thijs Kinkhorst

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2014-2655

CWE: CWE-89

CVSS Base Score: 6.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 8/10

Exploit range: Remote

Attack complexity: Low

Authentication: Single time

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

Hi,

Postfixadmin has an SQL injection vulnerability. This vulnerability is only 
exploitable by authenticated users able to create new aliases. If the alias 
contains SQL code, the list-virtual.php overview triggers the vulnerability.

The vulnerability was fixed upstream in this commit:
http://sourceforge.net/p/postfixadmin/code/1650

Please assign a CVE name for this issue.
/branches/postfixadmin-2.3/functions.inc.php Diff Switch to side-by-side view
--- a/branches/postfixadmin-2.3/functions.inc.php
+++ b/branches/postfixadmin-2.3/functions.inc.php
@@ -9,14 +9,14 @@
  * Further details on the project are available at : 
  *     http://www.postfixadmin.com or http://postfixadmin.sf.net 
  * 
- * @version $Id: functions.inc.php 1638 2014-02-13 20:12:43Z christian_boltz $ 
+ * @version $Id: functions.inc.php 1650 2014-02-19 12:27:02Z christian_boltz $ 
  * @license GNU GPL v2 or later. 
  * 
  * File: functions.inc.php
  * Contains re-usable code.
  */
 
-$version = '2.3.6';
+$version = '2.3.7';
 
 /**
  * check_session
@@ -2175,6 +2175,8 @@
     global $CONF, $table_alias;
     $stat_string = "";
 
+    $show_alias = escape_string($show_alias);
+
     $stat_goto = "";
     $stat_result = db_query ("SELECT goto FROM $table_alias WHERE address='$show_alias'");
     if ($stat_result['rows'] > 0)

References:

http://sourceforge.net/p/postfixadmin/code/1650

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}