Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

SSD Advisory – Webmin Multiple Vulnerabilities

From: Maor Shwartz <maors () beyondsecurity com>
Date: Sun, 15 Oct 2017 10:24:07 +0300
SSD Advisory – Webmin Multiple Vulnerabilities

Full report: https://blogs.securiteam.com/index.php/archives/3430
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

Vulnerability summary
The following advisory describes three (3) vulnerabilities found in Webmin
version 1.850

Webmin “is a web-based interface for system administration for Unix. Using
any modern web browser, you can setup user accounts, Apache, DNS, file
sharing and much more. Webmin removes the need to manually edit Unix
configuration files like /etc/passwd, and lets you manage a system from the
console or remotely. See the standard modules page for a list of all the
functions built into Webmin.”

The vulnerabilities found are:

XSS vulnerability that leads to Remote Code Execution
CSRF Schedule arbitrary commands
Server Side Request Forgery

Credit
An independent security researcher, hyp3rlinx, has reported this
vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
The vendor has released patches to address these vulnerabilities.

For more information:
https://github.com/webmin/webmin/commit/0c58892732ee7610a7abba5507614366d382c9c9
and http://www.webmin.com/security.html


--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 93CC36E2DE7FF514

Attachment: SSD Advisory – Webmin Multiple Vulnerabilities – SecuriTeam Blogs.pdf
Description: 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: