Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [webmin-devel] XSS in Webmin 1.540 + exploit for privilege escalation

From: Henri Salo <henri () nerv fi>
Date: Sat, 21 May 2011 13:25:07 +0300
On Sat, Apr 23, 2011 at 06:11:12PM -0700, Jamie Cameron wrote:

Hi Javier,

Thanks for reporting this - I hadn't considered this attack
vector, as I didn't realize that chfn could be used to modify a user's
real name.

I have created a fix which you can see at :

https://github.com/webmin/webmin/commit/46e3d3ad195dcdc1af1795c96b6e0dc778fb6881

Also an update for the Users and Groups module can be found at 
http://www.webmin.com/updates.html , and will be available from within
the Webmin UI.

 - Jamie


In what Webmin-release this will be fixed? Do you have CVE-identifier for this yet?

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: