FreeBSD : postfixadmin -- Multiple Vulnerabilities (93688f8f-4935-11e1-89b4-001ec9578670)

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.

Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

The Postfix Admin Team reports :

Multiple XSS vulnerabilities exist : - XSS with $_GET[domain] in
templates/menu.php and edit-vacation - XSS in some create-domain input
fields - XSS in create-alias and edit-alias error message - XSS (by
values stored in the database) in fetchmail list view, list-domain and

Multiple SQL injection issues exist : - SQL injection in pacrypt() (if
$CONF[encrypt] == 'mysql_encrypt') - SQL injection in backup.php - the
dump was not mysql_escape()d, therefore users could inject SQL (for
example in the vacation message) which will be executed when restoring
the database dump. WARNING: database dumps created with backup.php
from 2.3.4 or older might contain malicious SQL. Double-check before
using them!

See also :

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 6.5

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 57720 ()

Bugtraq ID:

CVE ID: CVE-2012-0811

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now