lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 30 Jan 2012 13:30:04 +0100
From: Filippo Cavallarin <filippo.cavallarin@...seq.it>
To: bugtraq@...urityfocus.com
Subject: Multiple vulnerabilities in postfixadmin

Advisory ID:	CSA-12002
Title:	Multiple vulnerabilities in postfixadmin
Product:	postfixadmin
Version:	2.3.4 and probably prior
Vendor:	www.postifixadmin.org
Vulnerability type:	SQL injection, XSS
Vendor notification:	2012-01-10
Public disclosure:	2012-01-26


postfixadmin version 2.3.4 and probably below suffers from multiple vulnerabilities:


1) SQL injection in pacrypt function: if postfixadmin is configured with 'mysql_encrypt' the pacrypt function passes the $pw parameter to sql query without santitzing it allowing non-admin users to perform sql injection attacks.



2) SQL injection in sql dump generated by backup.php: the backup.php file generates sql queries without sanitizing values. A non-admin user can inject arbitrary sql commands into backup file that will be executed when an admin restores that backup. To test this issue try to set the vacation message of any user to:

dontcare','','dominio.com','2012-01-09 17:34:06','1');
INSERT INTO admin (username,password,created,modified,active) 
VALUES ('some@...il.com','$1$2cab7a19$zIuOsr6PXksCu13883fVg/','2012-01-08 15:48:1','2012-01-09 17:17:0','1'); #

then take a backup and restore it, the new admin some@...il.com is added to admin table.



3) XSS in edit-vacation.php: Input passed via domain GET parameter to edit-vacation.php is not properly sanitised before being returned to the user.

http://127.0.0.1/postfixadmin-2.3.4/edit-vacation.php?domain=dontcare</script><script>alert(1);</script>



4) XSS in edit-vacation.php: Input passed via fDomain POST parameter to create-domain.php is not properly sanitised before being returned to the user.
This is interesting because the fDomain variable is passed to strip_tags so something like on<a>click is trasformed to onclik. This allows to bypass browsers builtin XSS protection.
To test this issue put the following string as Domain parameter in create-domain.php, submit the form and then click on Domain's input text..

dontcare" oncli<a>ck=alert(document.cookie);//



5) Others XSS on POST vars: to exploit them you need to perform a CSRF attack that can leat to arbitrary data inserted into db insted of just a script executed in the browser.

create-alias.php and edit-alias.php
fGoto:<script>alert(1)</script>some@...il.com

edit-domain.php 
Description: <script>alert(1)</script>

create-mailbox.php and edit-mailbox.php
Name: <script>alert(1)</script>

fetchmail.php
Server: <script>alert(1)</script>

these xss (except the first one) are saved into db (ie fetchmail.php saves <script>alert(1)</script> as server name). This means that even if a remote attacker must perform a CSRF to exploit these XSS,a malicious admin can insert scripts into db that get executed when other admins load a list (ie list-virtual.php)



Solution

upgrade to postfixadmin 2.3.5



Filippo Cavallarin


C o d S e q
Development with an eye on security
------------------------------------------------------------------------
Castello 2005, 30122 Venezia
Tel: 041 88 761 58 - Fax: 041 81 064 714 - Cell: 346 66 93 254
c.f. CVLFPP82B27L736J - p.iva 03737650279
http://www.codseq.it - filippo.cavallarin@...seq.it

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ