[v2.5] postfixadmin: remote arbitrary SQL commands execution (CVE-2014-2655)
SQL injection vulnerability in the gen_show_status function in functions.inc.php in Postfix Admin (aka postfixadmin) before 2.3.7 allows remote authenticated users to execute arbitrary SQL commands via a new alias.
BID: 66455
URL: http://www.securityfocus.com/bid/66455
MLIST: [oss-security] 20140326 CVE request: postfixadmin SQL injection
vulnerability
URL: http://www.openwall.com/lists/oss-security/2014/03/26/6
MLIST: [oss-security] 20140326 Re: CVE request: postfixadmin SQL
injection vulnerability
URL: http://www.openwall.com/lists/oss-security/2014/03/26/11
CONFIRM: http://sourceforge.net/p/postfixadmin/code/1650
(from redmine: issue id 2813, created on 2014-04-03, closed on 2014-04-18)
- Relations:
- parent #2811 (closed)
- Changesets:
- Revision d4c0508b by Natanael Copa on 2014-04-17T09:35:07Z:
main/postfixadmin: security upgrade to 2.3.7 (CVE-2014-2655)
fixes #2813