870434 – (CVE-2014-2655) VUL-0: CVE-2014-2655: postfixadmin: SQL injection vulnerability

Bug 870434 (CVE-2014-2655) - VUL-0: CVE-2014-2655: postfixadmin: SQL injection vulnerability

Summary: VUL-0: CVE-2014-2655: postfixadmin: SQL injection vulnerability

Status:	RESOLVED FIXED

Alias:	CVE-2014-2655

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 12.3

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Christian Boltz
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/97358/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-03-26 16:38 UTC by Marcus Meissner
Modified:	2015-02-19 02:16 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2014-03-26 16:38:56 UTC

via oss-sec

CVE request: postfixadmin SQL injection vulnerability

Hi,

Postfixadmin has an SQL injection vulnerability. This vulnerability is only 
exploitable by authenticated users able to create new aliases. If the alias 
contains SQL code, the list-virtual.php overview triggers the vulnerability.

The vulnerability was fixed upstream in this commit:
http://sourceforge.net/p/postfixadmin/code/1650

Please assign a CVE name for this issue.

Thanks,

Thijs Kinkhorst
Debian Security Team

References:
http://comments.gmane.org/gmane.comp.security.oss.general/12445

Comment 1 Swamp Workflow Management 2014-03-26 23:00:20 UTC

bugbot adjusting priority

Comment 2 Marcus Meissner 2014-03-27 06:46:39 UTC

CVE-2014-2655

Comment 3 Christian Boltz 2014-05-18 20:56:44 UTC

MR 234640 sent to 12.3 and 13.1.

Factory has the fixed version already.

Comment 4 Bernhard Wiedemann 2014-05-18 21:00:10 UTC

This is an autogenerated message for OBS integration:
This bug (870434) was mentioned in
https://build.opensuse.org/request/show/234640 13.1+12.3 / postfixadmin

Comment 5 Swamp Workflow Management 2014-05-27 08:04:28 UTC

openSUSE-SU-2014:0715-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 870434
CVE References: CVE-2014-2655
Sources used:
openSUSE 13.1 (src):    postfixadmin-2.3.7-5.4.1
openSUSE 12.3 (src):    postfixadmin-2.3.7-2.4.1