headers
Javier Bassi | 24 Apr 2011 02:46
Picon
Gravatar

[webmin-devel] XSS in Webmin 1.540 + exploit for privilege escalation

Information
--------------------
Name :  XSS vulnerability in Webmin
Software :  All versions prior to and including 1.540 are affected.
Vendor Hompeage :  http://www.webmin.com
Vulnerability Type :  Cross-Site Scripting
Severity :  Medium
Researcher :  Javier Bassi <javierbassi [at] gmail [dot] com>

Description
------------------
Webmin is a web-based interface for system administration for Unix.
Using any modern web browser, you can setup user accounts, Apache,
DNS, file sharing and much more.
https://secure.wikimedia.org/wikipedia/en/wiki/Webmin

Details
-------------------
Webmin is affected by a XSS vulnerability in all versions prior to and
including 1.540.
Webmin fails to sanitize $real in useradmin/index.cgi. $real is the
"Full Name" in the finger information of the user. useradmin/index.cgi
is the control panel of the "Users & Groups" section in webmin.
An attacker that has a normal user on the victim's machine could be
able to change his Full Name with chfn command, inject XSS and execute
commands as root.

Timeline:
-------------------
2011.04.24 - announced at my site/informed developers/disclosed at my site.
(Continue reading)

Permalink | Reply |
headers
Jamie Cameron | 24 Apr 2011 03:11

Re: [webmin-devel] XSS in Webmin 1.540 + exploit for privilege escalation

Hi Javier,

Thanks for reporting this - I hadn't considered this attack
vector, as I didn't realize that chfn could be used to modify a user's
real name.

I have created a fix which you can see at :

https://github.com/webmin/webmin/commit/46e3d3ad195dcdc1af1795c96b6e0dc778fb6881

Also an update for the Users and Groups module can be found at 
http://www.webmin.com/updates.html , and will be available from within
the Webmin UI.

 - Jamie

On 23/Apr/2011 17:46 Javier Bassi <javierbassi <at> gmail.com> wrote ..
> Information
> --------------------
> Name :  XSS vulnerability in Webmin
> Software :  All versions prior to and including 1.540 are affected.
> Vendor Hompeage :  http://www.webmin.com
> Vulnerability Type :  Cross-Site Scripting
> Severity :  Medium
> Researcher :  Javier Bassi <javierbassi [at] gmail [dot] com>
> 
> 
> Description
> ------------------
> Webmin is a web-based interface for system administration for Unix.
(Continue reading)

Permalink | Reply |
headers
Javier Bassi | 24 Apr 2011 03:17
Picon
Gravatar

Re: [webmin-devel] XSS in Webmin 1.540 + exploit for privilege escalation

On Sat, Apr 23, 2011 at 10:11 PM, Jamie Cameron <jcameron <at> webmin.com> wrote:
> Hi Javier,
>
> Thanks for reporting this - I hadn't considered this attack
> vector, as I didn't realize that chfn could be used to modify a user's
> real name.
>
> I have created a fix which you can see at :
>
> https://github.com/webmin/webmin/commit/46e3d3ad195dcdc1af1795c96b6e0dc778fb6881
>
> Also an update for the Users and Groups module can be found at
> http://www.webmin.com/updates.html , and will be available from within
> the Webmin UI.
>
>  - Jamie

Thanks for the fast fix!

Javier

------------------------------------------------------------------------------
Fulfilling the Lean Software Promise
Lean software platforms are now widely adopted and the benefits have been 
demonstrated beyond question. Learn why your peers are replacing JEE 
containers with lightweight application servers - and what you can gain 
from the move. http://p.sf.net/sfu/vmware-sfemails
-
Forwarded by the Webmin development list at webmin-devel <at> webmin.com
To remove yourself from this list, go to
(Continue reading)

Permalink | Reply |
headers
Javier Bassi | 26 Apr 2011 17:32
Picon
Gravatar

Re: [webmin-devel] XSS in Webmin 1.540 + exploit for privilege escalation

Also escape the username in mass_delete_user.cgi (when
enable/disable/delete feature is used)
There is no possible exploit scenario there, so no security issue, but
also there is not reason to have it unescaped.

On Sat, Apr 23, 2011 at 10:17 PM, Javier Bassi <javierbassi <at> gmail.com> wrote:
> On Sat, Apr 23, 2011 at 10:11 PM, Jamie Cameron <jcameron <at> webmin.com> wrote:
>> Hi Javier,
>>
>> Thanks for reporting this - I hadn't considered this attack
>> vector, as I didn't realize that chfn could be used to modify a user's
>> real name.
>>
>> I have created a fix which you can see at :
>>
>> https://github.com/webmin/webmin/commit/46e3d3ad195dcdc1af1795c96b6e0dc778fb6881
>>
>> Also an update for the Users and Groups module can be found at
>> http://www.webmin.com/updates.html , and will be available from within
>> the Webmin UI.
>>
>>  - Jamie
>
> Thanks for the fast fix!
>
> Javier
>

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
(Continue reading)

Permalink | Reply |
headers
Henri Salo | 21 May 2011 12:25
Picon
Gravatar

Re: [webmin-devel] XSS in Webmin 1.540 + exploit for privilege escalation

On Sat, Apr 23, 2011 at 06:11:12PM -0700, Jamie Cameron wrote:
> Hi Javier,
> 
> Thanks for reporting this - I hadn't considered this attack
> vector, as I didn't realize that chfn could be used to modify a user's
> real name.
> 
> I have created a fix which you can see at :
> 
> https://github.com/webmin/webmin/commit/46e3d3ad195dcdc1af1795c96b6e0dc778fb6881
> 
> Also an update for the Users and Groups module can be found at 
> http://www.webmin.com/updates.html , and will be available from within
> the Webmin UI.
> 
>  - Jamie

In what Webmin-release this will be fixed? Do you have CVE-identifier for this yet?

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply |
headers
Javier Bassi | 21 May 2011 16:13
Picon
Gravatar

Re: [webmin-devel] [Full-disclosure] XSS in Webmin 1.540 + exploit for privilege escalation

> In what Webmin-release this will be fixed? Do you have CVE-identifier for this yet?

The new version (Webmin 1.550) fixes this vulnerability. I don't have
CVE-id, I tried to contact cve.mitre.org guys with no luck. I have BID
Bugtraq ID: 	47558

------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its 
next-generation tools to help Windows* and Linux* C/C++ and Fortran 
developers boost performance applications - including clusters. 
http://p.sf.net/sfu/intel-dev2devmay
-
Forwarded by the Webmin development list at webmin-devel <at> webmin.com
To remove yourself from this list, go to
http://lists.sourceforge.net/lists/listinfo/webadmin-devel
Permalink | Reply |

Gmane