update CHANGELOG.TXT with latest commits/fixes

git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/branches/postfixadmin-2.3@1325 a1433add-5e2c-0410-b055-b7f2511e0802
13 years ago · 71f7b03801
parent 638f2755eb
commit 71f7b03801
1 changed files with 8 additions and 0 deletions
--- a/CHANGELOG.TXT
+++ b/CHANGELOG.TXT
@ -13,6 +13,14 @@
 SVN changes since 2.3.4 release (postfixadmin-2.3 branch)
 ----------------------------------------------------------------

+  - fix SQL injection in pacrypt() (if $CONF[encrypt] == 'mysql_encrypt')
+  - fix SQL injection in backup.php - the dump was not mysql_escape()d, 
+    therefore users could inject SQL (for example in the vacation message)
+    which will be executed when restoring the database dump.
+    WARNING: database dumps created with backup.php from 2.3.4 or older might
+             contain malicious SQL. Double-check before using them!
+  - fix XSS with $_GET[domain] in templates/menu.php and edit-vacation
+  - fix XSS in some create-domain input fields
  - create-domain: fix SQL injection (only exploitable by superadmins)
  - add missing $LANG['pAdminDelete_admin_error']
  - don't mark mailbox targets with recipient delimiter as "forward only"