LAC Advisory

Site Location

Japanese Edition

SNS Advisory No.89

Webmin/Usermin Null Character "%00" Handling Vulnerability

Discovered on:02 Jul 2006

Released on:31 Aug 2006

Severity:
Medium
 
Overview:
Webmin 1.290 and Usermin 1.220 have a vulnerability in the process deleting null character "%00" included in URL. Therefore, scripts could be executed (Cross-site Scripting) in the error page, arbitrary files (with extension such as ".pl") that should be prevented from executing could be executed, or the files located in a given directory could be indexed for browsing.
 
Description:
Webmin is a Web-based tool for system administration for Unix, MacOS X, and Windows. On the other hand, Usermin is a Web interface that can be used by any user on a Unix system to easily perform tasks including receiving email and configuring SSH or email forwarding.
Webmin 1.290 and Usermin 1.220 have a vulnerability in the process deleting null character "%00" included in URL.
Requesting a URL including the null character could lead to:
  • Execution of scripts (Cross-site Scripting) in the error page.
  • Execution of arbitrary files (with extension such as ".pl") that should be prevented from executing.
  • Indexing files (Index Browsing) located in a given directory.
  • Leakage of the CGI script source program.
As the result of the above, cookies could be stolen and arbitrary operations could be executed on the system or a new Web server with a malicious configuration file loaded could be set up by attackers.
 
Affected Products and Versions:

Webmin Version 1.290
Usermin Version 1.220
 
Solution:

The vulnerability can be fixed by updating the software to Webmin 1.296 or later, or Usermin 1.226 or later, which are available at:
http://download.webmin.com/devel/tarballs/
http://www.webmin.com/
 
Discovered by:

Keigo Yamazaki (LAC)
 
Thanks to:

This LAC Advisory is released in coordination with Information-technology Promotion Agency, Japan (IPA) and Japan Computer Emargency Response Team Coordination Center (JPCERT/CC.)
http://jvn.jp/jp/JVN%2399776858/index.html
http://www.ipa.go.jp/security/vuln/documents/2006/JVN_99776858_webmin.html
 
Disclaimer:

The information contained in this advisory may be revised without prior notice and is provided as is. Users shall take their own risk when taking any actions following reading this advisory. Little eArth Corporation Co., Ltd. shall not be held responsible  for any claims, losses or damages caused by the use of information provided here.
 
This advisory is available at the following URL:

http://www.lac.co.jp/english/advisory/89_e.html

Japanese Edition

Top of Page

Reference

Category Menu

Contact LAC

  • Corporate Profile
  • Corporate Data
  • LAC's Strengths
  • Services and Solutions
  • Corporate History
  • Group Companies
  • Access Map
  • Contact LAC
  • JSOC
  • LAC Advisory