Sql injection is possbile with reseller rights: i.e. it is possible to enter '# in the "change user" field. as result you get a list of all added users on the server. With a special malformed string it is possible to execute any sql command as confixx mysql user to the confixx database. Vendor was informed about over a month ago, while 3.06 was up to date. 3.08 was released, bug still exists. -- +++ GMX - die erste Adresse für Mail, Message, More +++ 10 GB Mailbox, 100 FreeSMS http://www.gmx.net/de/go/topmail
