GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Sun Aug 06, 2006 9:26 pm Post subject: [ GLSA 200608-11 ] Webmin, Usermin: File Disclosure |
|
|
Gentoo Linux Security Advisory
Title: Webmin, Usermin: File Disclosure (GLSA 200608-11)
Severity: normal
Exploitable: remote
Date: August 06, 2006
Bug(s): #138552
ID: 200608-11
Synopsis
Webmin and Usermin are vulnerable to an arbitrary file disclosure through a specially crafted URL.
Background
Webmin is a web-based interface for Unix-like systems. Usermin is a simplified version of Webmin designed for use by normal users rather than system administrators.
Affected Packages
Package: app-admin/webmin
Vulnerable: < 1.290
Unaffected: >= 1.290
Architectures: All supported architectures
Package: app-admin/usermin
Vulnerable: < 1.220
Unaffected: >= 1.220
Architectures: All supported architectures
Description
A vulnerability in both Webmin and Usermin has been discovered by Kenny Chen, wherein simplify_path is called before the HTML is decoded.
Impact
A non-authenticated user can read any file on the server using a specially crafted URL.
Workaround
For a temporary workaround, IP Access Control can be setup on Webmin and Usermin.
Resolution
All Webmin users should update to the latest stable version: Code: | # emerge --sync
# emerge --ask --verbose --oneshot ">=app-admin/webmin-1.290" | All Usermin users should update to the latest stable version: Code: | # emerge --sync
# emerge --ask --verbose --oneshot ">=app-admin/usermin-1.220" |
References
CVE-2006-3392 |
|