Gentoo Logo

Webmin, Usermin: File Disclosure

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200608-11 / webmin/usermin
Release Date August 06, 2006
Latest Revision August 06, 2006: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
app-admin/webmin < 1.290 >= 1.290 All supported architectures
app-admin/usermin < 1.220 >= 1.220 All supported architectures

Related bugreports: #138552

Synopsis

Webmin and Usermin are vulnerable to an arbitrary file disclosure through a specially crafted URL.

2.  Impact Information

Background

Webmin is a web-based interface for Unix-like systems. Usermin is a simplified version of Webmin designed for use by normal users rather than system administrators.

Description

A vulnerability in both Webmin and Usermin has been discovered by Kenny Chen, wherein simplify_path is called before the HTML is decoded.

Impact

A non-authenticated user can read any file on the server using a specially crafted URL.

3.  Resolution Information

Workaround

For a temporary workaround, IP Access Control can be setup on Webmin and Usermin.

Resolution

All Webmin users should update to the latest stable version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --verbose --oneshot ">=app-admin/webmin-1.290"

All Usermin users should update to the latest stable version:

Code Listing 3.2: Resolution

# emerge --sync
# emerge --ask --verbose --oneshot ">=app-admin/usermin-1.220"

4.  References

Print

Page updated August 06, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.