Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using "..%01" sequences, which bypass the removal of "../" sequences before bytes such as "%01" are removed from the filename. NOTE: This is a different issue than CVE-2006-3274.

The Usermin install on the remote host is affected by an information disclosure flaw in the Perl script 'miniserv.pl'. This flaw could allow a remote, unauthenticated attacker to read arbitrary files on the affected host, subject to the privileges of the web server user id.

Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files. NOTE: This is a different issue than CVE-2006-3274.

Updated packages have been patched to correct this issue.

Several vulnerabilities have been identified in webmin, a web-based administration toolkit. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities :

  - CVE-2005-3912     A format string vulnerability in miniserv.pl could allow     an attacker to cause a denial of service by crashing the     application or exhausting system resources, and could     potentially allow arbitrary code execution.

  - CVE-2006-3392     Improper input sanitization in miniserv.pl could allow     an attacker to read arbitrary files on the webmin host     by providing a specially crafted URL path to the     miniserv http server.

  - CVE-2006-4542     Improper handling of null characters in URLs in     miniserv.pl could allow an attacker to conduct     cross-site scripting attacks, read CGI program source     code, list local directories, and potentially execute     arbitrary code.

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

The remote host is affected by the vulnerability described in GLSA-200608-11 (Webmin, Usermin: File Disclosure)

    A vulnerability in both Webmin and Usermin has been discovered by Kenny     Chen, wherein simplify_path is called before the HTML is decoded.
  Impact :

    A non-authenticated user can read any file on the server using a     specially crafted URL.
  Workaround :

    For a temporary workaround, IP Access Control can be setup on Webmin     and Usermin.

The webmin development team reports :

An attacker without a login to Webmin can read the contents of any file on the server using a specially crafted URL. All users should upgrade to version 1.290 as soon as possible, or setup IP access control in Webmin.

The version of Webmin installed on the remote host is affected by an information disclosure flaw due to a flaw in the Perl script 'miniserv.pl'. This flaw could allow a remote, unauthenticated attacker to read arbitrary files on the affected host, subject to the privileges of the web server user .

ID	Name	Product	Family	Severity
77704	Usermin 'miniserv.pl' Arbitrary File Disclosure	Nessus	CGI abuses	medium
23876	Mandrake Linux Security Advisory : webmin (MDKSA-2006:125)	Nessus	Mandriva Local Security Checks	medium
22908	Debian DSA-1199-1 : webmin - multiple vulnerabilities	Nessus	Debian Local Security Checks	high
22169	GLSA-200608-11 : Webmin, Usermin: File Disclosure	Nessus	Gentoo Local Security Checks	medium
21789	FreeBSD : webmin, usermin -- arbitrary file disclosure vulnerability (227475c2-09cb-11db-9156-000e0c2e438a)	Nessus	FreeBSD Local Security Checks	medium
21785	Webmin 'miniserv.pl' Arbitrary File Disclosure	Nessus	CGI abuses	medium

Detections

Analytics

CVE-2006-3392

high

Tenable Plugins

medium

medium

high

medium

medium

medium