Gentoo Logo

Webmin, Usermin: File Disclosure


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200608-11 / webmin/usermin
Release Date August 06, 2006
Latest Revision August 06, 2006: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
app-admin/webmin < 1.290 >= 1.290 All supported architectures
app-admin/usermin < 1.220 >= 1.220 All supported architectures

Related bugreports: #138552


Webmin and Usermin are vulnerable to an arbitrary file disclosure through a specially crafted URL.

2.  Impact Information


Webmin is a web-based interface for Unix-like systems. Usermin is a simplified version of Webmin designed for use by normal users rather than system administrators.


A vulnerability in both Webmin and Usermin has been discovered by Kenny Chen, wherein simplify_path is called before the HTML is decoded.


A non-authenticated user can read any file on the server using a specially crafted URL.

3.  Resolution Information


For a temporary workaround, IP Access Control can be setup on Webmin and Usermin.


All Webmin users should update to the latest stable version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --verbose --oneshot ">=app-admin/webmin-1.290"

All Usermin users should update to the latest stable version:

Code Listing 3.2: Resolution

# emerge --sync
# emerge --ask --verbose --oneshot ">=app-admin/usermin-1.220"

4.  References


Page updated August 06, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.