search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Webmin and Usermin fail to sanitize user input

Vulnerability Note VU#999601

Original Release Date: 2006-07-07 | Last Revised: 2006-08-01

Overview

Webmin and Usermin do not properly sanitize user input. This vulnerability may allow a remote, unauthenticated user to view any file on the system running Webmin or Usermin.

Description

Webmin

Webmin is popular web-based administration tool for Unix and Linux servers that allows system administrators to make changes to system processes.

Usermin

Usermin offers an interface similar to Webmin, but is designed for regular users who are not responsible for system administration tasks.

The Problem

There is an input validation vulnerability in Usermin and Webmin that could allow a remote, unauthenticated attacker could view any file on the computer running Webmin or Usermin.

Impact

An attacker could read any file on the computer running Webmin or Usermin.

Solution

Upgrade
Usermin version Version 1.220 and Webmin version 1.290 have been released to address this vulnerability.


Restrict Access

Restrict access to the Webmin and Usermin servers to trusted hosts. Note that in addition to firewall and VPN access control methods, both Webmin and usermin can use SSH tunneling to provide additional layers of encryption and authorization.

Vendor Information

999601
Expand all

Webmin

Updated:  July 07, 2006

Status

  Unknown

Vendor Statement

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This vulnerability was reported by the Webmin team.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The Webmin team has reported this vulnerability.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2006-3392
Severity Metric: 9.53
Date Public: 2006-06-30
Date First Published: 2006-07-07
Date Last Updated: 2006-08-01 18:09 UTC
Document Revision: 31

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.