Vulnerability Note VU#788478

Webmin contains input validation vulnerabilities

Original Release date: 06 Sep 2012 | Last revised: 14 Aug 2014


Webmin 1.580, and possibly earlier versions, has been reported to contain input validation vulnerabilities.


The advisories from American Information Security Group report the following vulnerabilities.

CWE-20: Improper Input Validation - CVE-2012-2981
"An input validation flaw allows for authenticated users to execute arbitrary Perl statements, commands, or libraries by parsing any file provided."

CWE-77: Improper Neutralization of Special Elements used in a Command - CVE-2012-2982
"An input validation flaw within /file/show.cgi allows for authenticated users to execute arbitrary system commands as a privileged user. Additionally, anyone with a previously established session can be made to execute arbitrary commands on the server by embedding the attack in HTML code–such as IMG SRC tags within HTML emails."

CWE-22: Improper Limitation of a Pathname to a Restricted Directory - CVE-2012-2983
"A directory traversal flaw within edit_html.cgi allows an attacker to view any file as user root."

Full details of each vulnerability are available in the American Information Security Group advisories linked in the References section.


An authenticated attacker may be able to execute arbitrary commands.


We are currently unaware of a practical solution to this problem. The vendor is aware of the vulnerabilities and has patches available in the development branch but an official version including the patches was not available at the time of publication.

Patch for CVE-2012-2981

Patch for CVE-2012-2982

Patch for CVE-2012-2983

Please consider the following workarounds.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from accessing Webmin using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
WebminAffected10 Jul 201205 Sep 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
Temporal 6.9 E:POC/RL:TF/RC:C
Environmental 5.2 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



Thanks to the American Information Security Group for reporting this vulnerability.

This document was written by Jared Allar.

Other Information


If you have feedback, comments, or additional information about this vulnerability, please send us email.