Javier Bassi | 24 Apr 02:46 2011
Picon

[webmin-devel] XSS in Webmin 1.540 + exploit for privilege escalation

Information
--------------------
Name :  XSS vulnerability in Webmin
Software :  All versions prior to and including 1.540 are affected.
Vendor Hompeage :  http://www.webmin.com
Vulnerability Type :  Cross-Site Scripting
Severity :  Medium
Researcher :  Javier Bassi <javierbassi [at] gmail [dot] com>

Description
------------------
Webmin is a web-based interface for system administration for Unix.
Using any modern web browser, you can setup user accounts, Apache,
DNS, file sharing and much more.
https://secure.wikimedia.org/wikipedia/en/wiki/Webmin

Details
-------------------
Webmin is affected by a XSS vulnerability in all versions prior to and
including 1.540.
Webmin fails to sanitize $real in useradmin/index.cgi. $real is the
"Full Name" in the finger information of the user. useradmin/index.cgi
is the control panel of the "Users & Groups" section in webmin.
An attacker that has a normal user on the victim's machine could be
able to change his Full Name with chfn command, inject XSS and execute
commands as root.

Timeline:
-------------------
2011.04.24 - announced at my site/informed developers/disclosed at my site.
(Continue reading)

Jamie Cameron | 24 Apr 03:11 2011

Re: [webmin-devel] XSS in Webmin 1.540 + exploit for privilege escalation

Hi Javier,

Thanks for reporting this - I hadn't considered this attack
vector, as I didn't realize that chfn could be used to modify a user's
real name.

I have created a fix which you can see at :

https://github.com/webmin/webmin/commit/46e3d3ad195dcdc1af1795c96b6e0dc778fb6881

Also an update for the Users and Groups module can be found at 
http://www.webmin.com/updates.html , and will be available from within
the Webmin UI.

 - Jamie

On 23/Apr/2011 17:46 Javier Bassi <javierbassi <at> gmail.com> wrote ..
> Information
> --------------------
> Name :  XSS vulnerability in Webmin
> Software :  All versions prior to and including 1.540 are affected.
> Vendor Hompeage :  http://www.webmin.com
> Vulnerability Type :  Cross-Site Scripting
> Severity :  Medium
> Researcher :  Javier Bassi <javierbassi [at] gmail [dot] com>
> 
> 
> Description
> ------------------
> Webmin is a web-based interface for system administration for Unix.
(Continue reading)

Javier Bassi | 24 Apr 03:17 2011
Picon

Re: [webmin-devel] XSS in Webmin 1.540 + exploit for privilege escalation

On Sat, Apr 23, 2011 at 10:11 PM, Jamie Cameron <jcameron <at> webmin.com> wrote:
> Hi Javier,
>
> Thanks for reporting this - I hadn't considered this attack
> vector, as I didn't realize that chfn could be used to modify a user's
> real name.
>
> I have created a fix which you can see at :
>
> https://github.com/webmin/webmin/commit/46e3d3ad195dcdc1af1795c96b6e0dc778fb6881
>
> Also an update for the Users and Groups module can be found at
> http://www.webmin.com/updates.html , and will be available from within
> the Webmin UI.
>
>  - Jamie

Thanks for the fast fix!

Javier

------------------------------------------------------------------------------
Fulfilling the Lean Software Promise
Lean software platforms are now widely adopted and the benefits have been 
demonstrated beyond question. Learn why your peers are replacing JEE 
containers with lightweight application servers - and what you can gain 
from the move. http://p.sf.net/sfu/vmware-sfemails
-
Forwarded by the Webmin development list at webmin-devel <at> webmin.com
To remove yourself from this list, go to
(Continue reading)

Javier Bassi | 26 Apr 17:32 2011
Picon

Re: [webmin-devel] XSS in Webmin 1.540 + exploit for privilege escalation

Also escape the username in mass_delete_user.cgi (when
enable/disable/delete feature is used)
There is no possible exploit scenario there, so no security issue, but
also there is not reason to have it unescaped.

On Sat, Apr 23, 2011 at 10:17 PM, Javier Bassi <javierbassi <at> gmail.com> wrote:
> On Sat, Apr 23, 2011 at 10:11 PM, Jamie Cameron <jcameron <at> webmin.com> wrote:
>> Hi Javier,
>>
>> Thanks for reporting this - I hadn't considered this attack
>> vector, as I didn't realize that chfn could be used to modify a user's
>> real name.
>>
>> I have created a fix which you can see at :
>>
>> https://github.com/webmin/webmin/commit/46e3d3ad195dcdc1af1795c96b6e0dc778fb6881
>>
>> Also an update for the Users and Groups module can be found at
>> http://www.webmin.com/updates.html , and will be available from within
>> the Webmin UI.
>>
>>  - Jamie
>
> Thanks for the fast fix!
>
> Javier
>

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
(Continue reading)


Gmane