external
/
mailinabox
mirror of https://github.com/mail-in-a-box/mailinabox.git
1
0
Fork 0
Code Issues Releases Wiki Activity
mailinabox/management
History
Joshua Tauberer a14b17794b simplify how munin-cgi-graph is called to reduce the attack surface area 
Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.

Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.

The vulnerability was created by 6d6f3ea391.

See #914.

This is the v0.19b hotfix commit.
 		2016-08-20 11:47:44 -04:00
..
templates some minor tweaks to the new users/aliases API documentation 2016-08-08 07:28:10 -04:00
auth.py the control panel auth hmac message should also include the user's password so that resetting a password in the database forces that user to log in to the control panel again; also use a sha256 hmac 2015-06-06 12:38:19 +00:00
backup.py Added a pre-backup script to complement post-backup script. 2016-05-11 10:11:16 +02:00
csr_country_codes.tsv drop the CSR_COUNTRY setting and ask within the control panel 2015-12-26 11:48:23 -05:00
daemon.py simplify how munin-cgi-graph is called to reduce the attack surface area 2016-08-20 11:47:44 -04:00
daily_tasks.sh nightly status checks could fail if any domains had non-ASCII characters 2016-02-13 11:51:06 -05:00
dns_update.py add SRV records for CardDAV/CalDAV 2016-07-31 20:53:57 -04:00
email_administrator.py use "127.0.0.1" throughout rather than mixing use of an IP address and "localhost" 2016-05-06 09:10:38 -04:00
mail_log.py Added received mail count to hourly activity overview in mail log management script 2016-06-10 13:08:57 +02:00
mailconfig.py Allow files in /home/user-data/mail/mailboxes 2016-02-21 13:49:07 +01:00
ssl_certificates.py ssl_certificates: also forgot to catch free_tls_certificates.client.RateLimited 2016-03-06 14:39:34 -05:00
status_checks.py put the ufw status checks in the network section, add a punctuation mark, add changelog entry 2016-07-29 09:23:36 -04:00
utils.py merge functions get_web_domains and get_default_www_redirects 2015-11-29 14:46:08 +00:00
web_update.py provision tls certificates from the control panel 2016-01-04 18:43:16 -05:00