Title: Postaci Arbitrary SQL Command Injection Vulnerability
Severity: MODERATE
Description:
Postaci is a freely available, open source webmail interface designed for a multiple user webmail environment, and backend of a SQL database. It is written and maintained by Umut Gokbayrak.
A problem in the software may allow remote users to pass malicious queries to the database server. This affects Postaci implementations that are backended by the PostgreSQL database, and does not affect those using a MySQL implementation. It is possible to append or inject arbitrary SQL commands to the request of a legitimate user due to the way the commands are passed to the PostgreSQL database. Commands used by the Postaci software are passed to the database using PHP pages, and FORM methods. The FORM methods passed by Postaci to the PostgreSQL database allow for the entry of semi-colons, which can be used to append database queries or other commands to the end of a command sent by a legitimate user. This makes it possible for a user with malicious motives to inject and execute arbitrary commands on the database.
Affected Products:
- Debian Linux 2.2.0
- Debian Linux 2.2.0 68k
- Debian Linux 2.2.0 alpha
- Debian Linux 2.2.0 arm
- Debian Linux 2.2.0 powerpc
- Debian Linux 2.2.0 sparc
- Umut Gokbayrak Postaci 1.1.2
- Umut Gokbayrak Postaci 1.1.3
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
