[SNS Advisory No.53] Webmin/Usermin Session ID Spoofing Vulnerability
From: snsadv@lac.co.jpDate: 05/08/02
- Previous message: snsadv@lac.co.jp: "[SNS Advisory No.52] Webmin/Usermin Cross-site Scripting Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 08 May 2002 14:20:32 +0900 From: "snsadv@lac.co.jp" <snsadv@lac.co.jp> To: bugtraq@securityfocus.com
----------------------------------------------------------------------
SNS Advisory No.53
Webmin/Usermin Session ID Spoofing Vulnerability
Problem first discovered: Sat, 4 May 2002
Published: Tue, 7 May 2002
----------------------------------------------------------------------
Overview:
---------
A vulnerability lies in the communication between the parent process
and the child process of Webmin and Usermin, which could allow an
attacker to spoof a session ID as any user already logged in. This
results in the possibility for users who are not logged in, to be able
to use these software tools.
Description:
------------
Webmin is a web-based system administration tool for Unix. Usermin
is a web interface that allows all users on a Unix system to easily
receive mails and to perform SSH and mail forwarding configuration.
Internal communication between the parent process and the child process
using named pipes occur in these software packages during creation or
verification of a session ID, or during the setting process of password
timeouts. Because the control characters contained in the data passed
as authentication information are not eliminated, it is possible to make
Webmin and Usermin to acknowledge the combination of any user and session
ID specified by an attacker. If the attacker could log into Webmin by
using this problem, there is a possibility that arbitrary commands may be
executed with root privileges.
[Preconditions for a successful exploit]
In the case of Webmin :
* Webmin->Configuration->Authentication
"Enable password timeouts" is enabled
* if a valid Webmin username is known
by default, user "admin" exists and this user can use all the
functions, including command shell
In the case of Usermin:
* if password timeout is enabled
* if a valid Usermin username is known
Tested Versions:
----------------
Webmin Version: 0.960
Usermin Version: 0.90
Solution:
---------
This problem can be eliminated by upgrading to Webmin version 0.970/
Usermin version 0.910, which are available at:
Discovered by:
--------------
Keigo Yamazaki
Disclaimer:
-----------
All information in these advisories are subject to change without any
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.
- Previous message: snsadv@lac.co.jp: "[SNS Advisory No.52] Webmin/Usermin Cross-site Scripting Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
