Postfix Admin Multiple SQL Injection and Cross Site Scripting Vulnerabilities
BID:51680
CVE-2012-812 |Info
Postfix Admin Multiple SQL Injection and Cross Site Scripting Vulnerabilities
| Bugtraq ID: | 51680 |
| Class: | Input Validation Error |
| CVE: |
CVE-2012-0812 CVE-2012-0811 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 26 2012 12:00AM |
| Updated: | Sep 27 2012 07:10PM |
| Credit: | codseq |
| Vulnerable: |
Postfix Admin Postfix Admin 2.3.4 Gentoo Linux |
| Not Vulnerable: |
Postfix Admin Postfix Admin 2.3.5 |
Discussion
Postfix Admin Multiple SQL Injection and Cross Site Scripting Vulnerabilities
Postfix Admin is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Postfix Admin 2.3.4 and prior versions are vulnerable.
Postfix Admin is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Postfix Admin 2.3.4 and prior versions are vulnerable.
Exploit / POC
Postfix Admin Multiple SQL Injection and Cross Site Scripting Vulnerabilities
Attackers can use a browser to exploit these issues. To exploit the cross-site scripting issues, an attacker must entice an unsuspecting user to follow a malicious URI.
Attackers can use a browser to exploit these issues. To exploit the cross-site scripting issues, an attacker must entice an unsuspecting user to follow a malicious URI.
Solution / Fix
Postfix Admin Multiple SQL Injection and Cross Site Scripting Vulnerabilities
Solution:
Updates are available. Please see the references for more information.
Solution:
Updates are available. Please see the references for more information.
References
Postfix Admin Multiple SQL Injection and Cross Site Scripting Vulnerabilities
References:
References:
- CVE request: PostfixAdmin SQL injections and XSS (Christian Boltz)
- Multiple vulnerabilities in postfixadmin (CodSeq)
- Postfix Admin Download Page (Postfix Admin)
- Postfix Admin Homepage (Postfix Admin)