Some vulnerabilities have been reported in Webmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to unspecified parameters in pam_login.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in version 1.340. Prior versions may also be affected. Solution: Update to version 1.350. Provided and/or discovered by: Reported by the vendor.
Setting status and cc'ing maintainer. please advise and bump as necessary.
*** Bug 180607 has been marked as a duplicate of this bug. ***
beu's being retired... I'm adding armin76 to CC, since he did the last security bump.
1.350 in the tree
Thanks Raul. Arches, please test and mark stable. Target keywords are: webmin-1.350.ebuild:KEYWORDS="alpha amd64 arm hppa ppc ppc64 s390 sh sparc x86"
ppc64 stable
Stable for HPPA.
alpha/x86 stable
ppc stable
sparc stable.
amd64 done
I tend to vote YES.
I tend to vote yes too.
In order to stealth (and use) the victim's cookies, an attacker has to: - have access to the webmin interface (which i think is highly insecure) - bring the victim to a crafted, malicious URL. Usually i vote no, but given that a webmin credentials compromise is likely to lead to a complete system compromise, i will vote yes. I still think running webmin over internet is silly.
usermin is certainly affected too, since the pam_login.cgi file is exactly the same one. (between vulnerable webmin-1.340 and usermin-1.270) Raul could you handle this (patch or bump as necessary), thanks in advance.
app-admin/usermin-1.280 in the tree
Thx Raul. Arches, please test and mark stable usermin-1.280. Target keywords are: usermin-1.280:KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86"
hppa done.
ppc stable, ready for glsa voting.
thanks Tobias, but we already voted previously :)
(In reply to comment #24) > thanks Tobias, but we already voted previously :) > nevermind then :P
GLSA 200707-05