SB2017032012 - Authorization bypass in PostfixAdmin
Published: March 20, 2017 Updated: August 3, 2020
Security Bulletin ID
SB2017032012
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Missing Authorization (CVE-ID: CVE-2017-5930)
The vulnerability allows a remote user to bypass authorization process.
The AliasHandler component in PostfixAdmin before 3.0.2 allows remote authenticated domain admins to delete protected aliases via the delete parameter to delete.php, involving a missing permission check.
Remediation
Install update from vendor's website.
References
- http://lists.opensuse.org/opensuse-updates/2017-02/msg00076.html
- http://www.openwall.com/lists/oss-security/2017/02/08/1
- http://www.openwall.com/lists/oss-security/2017/02/09/1
- http://www.securityfocus.com/bid/96142
- https://github.com/postfixadmin/postfixadmin/blob/postfixadmin-3.0.2/CHANGELOG.TXT
- https://github.com/postfixadmin/postfixadmin/pull/23
- https://sourceforge.net/p/postfixadmin/mailman/message/35646827/