CVE-2017-5930 – Postfixadmin Protected Alias Deletion

https://notcve.org/view.php?id=CVE-2017-5930

The AliasHandler component in PostfixAdmin before 3.0.2 allows remote authenticated domain admins to delete protected aliases via the delete parameter to delete.php, involving a missing permission check. El componente AliasHandler en PostfixAdmin en versiones anteriores a 3.0.2 permiten a los administradores de dominio autenticados remotos eliminar alias protegidos a través del parámetro delete para delete.php, implicando un cheque de permiso desaparecido. Postfixadmin installations between 2.91 and 3.0.1 do not check if an admin is allowed to delete protected aliases. This vulnerability can be used to redirect protected aliases to an other mail address. Eg. rewrite the postmaster@domain alias. • http://lists.opensuse.org/opensuse-updates/2017-02/msg00076.html http://www.openwall.com/lists/oss-security/2017/02/08/1 http://www.openwall.com/lists/oss-security/2017/02/09/1 http://www.securityfocus.com/bid/96142 https://github.com/postfixadmin/postfixadmin/blob/postfixadmin-3.0.2/CHANGELOG.TXT https://github.com/postfixadmin/postfixadmin/pull/23 https://sourceforge.net/p/postfixadmin/mailman/message/35646827 • CWE-862: Missing Authorization •