Menu
▾
▴
Re: [webmin-devel] recent vulnerabilities in webmin/usermin
|
From: Jamie C. <jca...@we...> - 2004-06-13 05:59:08
|
There were three issues, none of which were too serious :
1) A logged-in Webmin user could view (but not change) the configuration of any module, even those that he wasn't granted access to. This can be fixed by inserting the following lines at line on config.cgi 9 :
&read_acl(\%acl);
$acl{$base_remote_user,$m} || &error($text{'config_eaccess'});
2) By attempting to login with a username containing a space, an attacker could lock out valid Webmin users. This is really just a denial-of-service attack, not a remote access vulnerability. It was fixed by changing line 1056 of miniserv.pl from :
if ($authuser =~ /\r|\n/) {
to
if ($authuser =~ /\r|\n|\s/) {
3) When reading an HTML attachment in Usermin's Read Mail module, malicious links or image references in the HTML could be used to trigger the exection of commands in Usermin. For example, a link like :
<a href=../proc/run.cgi?cmd=rm+*>click me</a>
The patch for this one is a bit too complex to include in this email - I would recommend upgrading the entire Read Mail module instead.
- Jamie
"Jaldhar H. Vyas" <ja...@de...> wrote ..
> Jamie,
>
> Can you comment on the recent security flaws discovered in usermin and
> webmin, the ones that were fixed for 1.080 and 1.150? What exactly are
> the issues? The Japanese group SAN put out advisories but they're rather
> low on detail. Am I right that there are no known exploits at this time?
>
> Also could you provide a diff of the security changes only vis-a-vis
> 1.070/1.140? The Debian security team would like to take a look. Thanks
> in advance.
>
> --
> Jaldhar H. Vyas <ja...@de...>
> La Salle Debain - http://www.braincells.com/debian/
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by the new InstallShield X.
> >From Windows to Linux, servers to mobile, InstallShield X is the
> one installation-authoring solution that does it all. Learn more and
> evaluate today! http://www.installshield.com/Dev2Dev/0504
> -
> Forwarded by the Webmin development list at web...@we...
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-devel
|
