1 (edited by khanb 2013-12-19 21:26:25)

Topic: Security issue!!

==== Required information ====
- iRedMail version: 0.8.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
====

Hi All,

You are at risk!!. Could you please check on latest iRedAdmin-Pro whether it is fetching all other domain users logs while searching external transaction logs as a single domain admin on control panel.
All have a look at it as it is security concern.

Regards,
Khanb

2

Re: Security issue!!

Thanks very much for your feedback, i will check this issue and come back later.

3

Re: Security issue!!

Hi Khanb,

I can reproduce this issue and It's a bug of iRedAdmin-Pro. Fixed moment ago and will release a bugfix release of iRedAdmin-Pro soon.
Thanks again for your feedback.

4

Re: Security issue!!

ZhangHuangbin wrote:

Hi Khanb,

I can reproduce this issue and It's a bug of iRedAdmin-Pro. Fixed moment ago and will release a bugfix release of iRedAdmin-Pro soon.
Thanks again for your feedback.

Hi Zhang,

Thanks in advance. Hope we will be getting same patch for iRedAdmin-Pro-1.6.3 version as clients are very much concern about the security.

Regards,

Khanb

5

Re: Security issue!!

khanb wrote:

Thanks in advance. Hope we will be getting same patch for iRedAdmin-Pro-1.6.3 version as clients are very much concern about the security.

Why not upgrade to the latest stable release after we released it (i mean the new one with this bug fix)?

6

Re: Security issue!!

ZhangHuangbin wrote:
khanb wrote:

Thanks in advance. Hope we will be getting same patch for iRedAdmin-Pro-1.6.3 version as clients are very much concern about the security.

Why not upgrade to the latest stable release after we released it (i mean the new one with this bug fix)?

Hi Zhang,

This is an government organization and management won't allow to do easily, it may take year or so if i request to upgrade and further i don't know whether they approve or not.

Thanks.

Khanb

7

Re: Security issue!!

Merry Christmas and Happy New Year to All!

Zhang - from your message, look like this security issue is in all ldap based iRedAdmin Pro versions which are released till date!

My suggestion, please dont put your all of customers on risk as this vulnerability is exposed, instead of adding this into new release, share the fix for everyone ASAP!

I feel it should not be fixing the search query with session / ACL / modifying query string.

Thank you!

Sandeep

8

Re: Security issue!!

Hi Zhang,

Any update on this?

Regards,

Khanb

9

Re: Security issue!!

Hi Khanb,

Sorry about this delay. I will release new version of iRedAdmin-Pro this Monday.

10

Re: Security issue!!

ZhangHuangbin wrote:

Hi Khanb,

Sorry about this delay. I will release new version of iRedAdmin-Pro this Monday.

Hi Zhang,

You have released new iRedAdmin-Pro with bug-fixes. What about the patch for older versions?.
All older iRedAdmin-Pro versions are now at security risk!!. Please share the patch ASAP to resolve this forever.

Regards,

Khanb

11

Re: Security issue!!

Hi khanb,

I sent an email to you, could you please help check your mailbox and reply me?