Full Disclosure mailing list archives
SSD Advisory – Webmin Multiple Vulnerabilities
From: Maor Shwartz <maors () beyondsecurity com>
Date: Sun, 15 Oct 2017 10:24:07 +0300
SSD Advisory – Webmin Multiple Vulnerabilities Full report: https://blogs.securiteam.com/index.php/archives/3430 Twitter: @SecuriTeam_SSD Weibo: SecuriTeam_SSD Vulnerability summary The following advisory describes three (3) vulnerabilities found in Webmin version 1.850 Webmin “is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from the console or remotely. See the standard modules page for a list of all the functions built into Webmin.” The vulnerabilities found are: XSS vulnerability that leads to Remote Code Execution CSRF Schedule arbitrary commands Server Side Request Forgery Credit An independent security researcher, hyp3rlinx, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program Vendor response The vendor has released patches to address these vulnerabilities. For more information: https://github.com/webmin/webmin/commit/0c58892732ee7610a7abba5507614366d382c9c9 and http://www.webmin.com/security.html -- Thanks Maor Shwartz Beyond Security GPG Key ID: 93CC36E2DE7FF514
Attachment:
SSD Advisory – Webmin Multiple Vulnerabilities – SecuriTeam Blogs.pdf
Description:
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- SSD Advisory – Webmin Multiple Vulnerabilities Maor Shwartz (Oct 17)