Postaci Arbitrary SQL Command Injection Vulnerability

Postaci is a freely available, open source webmail interface designed for a multiple user webmail environment, and backend of a SQL database. It is written and maintained by Umut Gokbayrak.

A problem in the software may allow remote users to pass malicious queries to the database server. This affects Postaci implementations that are backended by the PostgreSQL database, and does not affect those using a MySQL implementation. It is possible to append or inject arbitrary SQL commands to the request of a legitimate user due to the way the commands are passed to the PostgreSQL database. Commands used by the Postaci software are passed to the database using PHP pages, and FORM methods. The FORM methods passed by Postaci to the PostgreSQL database allow for the entry of semi-colons, which can be used to append database queries or other commands to the end of a command sent by a legitimate user. This makes it possible for a user with malicious motives to inject and execute arbitrary commands on the database.


 

Privacy Statement
Copyright 2010, SecurityFocus