ID CVE-2017-5930
Summary The AliasHandler component in PostfixAdmin before 3.0.2 allows remote authenticated domain admins to delete protected aliases via the delete parameter to delete.php, involving a missing permission check.
References
Vulnerable Configurations
  • cpe:2.3:o:opensuse_project:leap:42.1
    cpe:2.3:o:opensuse_project:leap:42.1
  • OpenSUSE Project Leap 42.2
    cpe:2.3:o:opensuse_project:leap:42.2
  • cpe:2.3:a:postfix_admin_project:postfix_admin:3.0.1-1
    cpe:2.3:a:postfix_admin_project:postfix_admin:3.0.1-1
CVSS
Base: 3.5 (as of 22-03-2017 - 18:46)
Impact:
Exploitability:
CWE CWE-275
CAPEC
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
metasploit via4
description Postfixadmin installations between 2.91 and 3.0.1 do not check if an admin is allowed to delete protected aliases. This vulnerability can be used to redirect protected aliases to an other mail address. Eg. rewrite the postmaster@domain alias
id MSF:AUXILIARY/ADMIN/HTTP/PFADMIN_SET_PROTECTED_ALIAS
last seen 2018-04-14
modified 2017-12-30
published 2017-03-05
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/pfadmin_set_protected_alias.rb
title Postfixadmin Protected Alias Deletion Vulnerability
nessus via4
NASL family SuSE Local Security Checks
NASL id OPENSUSE-2017-261.NASL
description postfixadmin was updated to 3.0.2 to fix the following issues : - PostfixAdmin 3.0.2 : - SECURITY: don't allow to delete protected aliases (CVE-2017-5930, boo#1024211) - fix VacationHandler for PostgreSQL - AliasHandler: restrict mailbox subquery to allowed and specified domains to improve performance on setups with lots of mailboxes - allow switching between dovecot:* password schemes while still accepting passwords hashed using the previous dovecot:* scheme - FetchmailHandler: use a valid date as default for 'date' - fix date formatting in non-english languages when using PostgreSQL - various small fixes - PostfixAdmin 3.0 : - add sqlite backend option - add configurable smtp helo (CONF['smtp_client']) - new translation: ro (Romanian) - language update: tw, cs, de - fix escaping in gen_show_status() (could be used to DOS list-virtual by creating a mail address with special chars) - add CSRF protection for POST requests - list.tpl: base edit/editactive/delete links in list.tpl on $RAW_item to avoid double escaping, and fix some corner cases - fix db_quota_text() for postgresql (concat() vs. ||) - change default date for 'created' and 'updated' columns from 0000-00-00 (which causes problems with MySQL strict mode) to 2000-01-01 - allow punicode even in TLDs - update Smarty to 3.1.29 - add checks to login.php and cli to ensure database layout is up to date - whitelist '-1' as valid value for postfixadmin-cli - don't stripslashes() the password in pacrypt - various small bugfixes
last seen 2018-01-27
modified 2018-01-26
plugin id 97281
published 2017-02-21
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=97281
title openSUSE Security Update : postfixadmin (openSUSE-2017-261)
refmap via4
bid 96142
confirm
mlist
  • [oss-security] 20170207 Re: CVE request: PostfixAdmin allows to delete protected aliases
  • [oss-security] 20170209 Re: CVE request: PostfixAdmin allows to delete protected aliases
  • [postfixadmin-devel] 20170204 Security hole in AliasHandler
suse openSUSE-SU-2017:0488
Last major update 23-03-2017 - 08:53
Published 20-03-2017 - 12:59
Back to Top