505940 – <www-apps/postfixadmin-2.3.7: SQL injection (CVE-2014-2655)

Bug 505940 - <www-apps/postfixadmin-2.3.7: SQL injection (CVE-2014-2655)

Summary: <www-apps/postfixadmin-2.3.7: SQL injection (CVE-2014-2655)

Status:	RESOLVED DUPLICATE of bug 502270

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-03-27 09:23 UTC by Agostino Sarubbo
Modified:	2014-06-16 10:26 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-03-27 09:23:41 UTC

From ${URL} :

Postfixadmin has an SQL injection vulnerability. This vulnerability is only 
exploitable by authenticated users able to create new aliases. If the alias 
contains SQL code, the list-virtual.php overview triggers the vulnerability.

The vulnerability was fixed upstream in this commit:
http://sourceforge.net/p/postfixadmin/code/1650



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Agostino Sarubbo gentoo-dev

2014-04-04 10:14:17 UTC

CVE-2014-2655 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2655):

SQL injection vulnerability in the gen_show_status function in functions.inc.php in Postfix Admin (aka postfixadmin) before 2.3.7 allows remote authenticated users to execute arbitrary SQL commands via a new alias.

Comment 2 Sergey Popov gentoo-dev

2014-06-13 22:08:19 UTC


*** This bug has been marked as a duplicate of bug 502270 ***