functions.inc.php / create_admin():

- fix SQL injection (only exploitable by superadmins) Reported by Matthias Bethke (msbethke@SF), https://sourceforge.net/tracker/?func=detail&atid=937964&aid=3412484&group_id=191583 (+ changelog update for this and the previous commit) git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/branches/postfixadmin-2.3@1185 a1433add-5e2c-0410-b055-b7f2511e0802
13 years ago · dba89ba42e
parent d196f38dde
commit dba89ba42e
2 changed files with 7 additions and 1 deletions
--- a/CHANGELOG.TXT
+++ b/CHANGELOG.TXT
@ -10,6 +10,12 @@
 # Last update:
 # $Id$

+SVN changes since 2.3.4 release (postfixadmin-2.3 branch)
+----------------------------------------------------------------
+
+  - create-domain: fix SQL injection (only exploitable by superadmins)
+  - add missing $LANG['pAdminDelete_admin_error']
+
 Version 2.3.4 - 2011/09/16 - SVN r1180 (postfixadmin-2.3 branch)
 ----------------------------------------------------------------

--- a/functions.inc.php
+++ b/functions.inc.php
@ -2349,7 +2349,7 @@ function create_admin($fUsername, $fPassword, $fPassword2, $fDomains, $no_genera
            {
                for ($i = 0; $i < sizeof ($fDomains); $i++)
                {
-                    $domain = $fDomains[$i];
+                    $domain = escape_string($fDomains[$i]);
                    $result = db_query ("INSERT INTO " . table_by_key ('domain_admins') . " (username,domain,created) VALUES ('$fUsername','$domain',NOW())");
                }
            }