The Postfix Admin team have just released PostfixAdmin 2.3.5 which is a security update that fixes some
SQL injections (CVE-2012-0811) and XSS vulnerabilities (CVE-2012-0812). So this is an important update and you are all advised to upgrade as soon as possible. Be warned that backups created with backup.php from 2.3.4 and earlier can contain SQL injections that will be executed when you restore the backup. In other words: Double-check old backups before restoring them!

For reference, here’s the full changelog for 2.3.5:

  • fix SQL injection in pacrypt() (if $CONF[encrypt] == ‘mysql_encrypt’)
  • fix SQL injection in backup.php – the dump was not mysql_escape()d, therefore users could inject SQL (for example in the vacation message) which will be executed when restoring the database dump.
  • fix XSS with $_GET[domain] in templates/menu.php and edit-vacation
  • fix XSS in some create-domain input fields
  • fix XSS in create-alias and edit-alias error message
  • fix XSS (by values stored in the database) in fetchmail list view, list-domain and list-virtual
  • create-domain: fix SQL injection (only exploitable by superadmins)
  • add missing $LANG['pAdminDelete_admin_error']
  • don’t mark mailbox targets with recipient delimiter as “forward only”
  • wrap hex2bin with function_exists() – PHP 5.3.8 has it as native function