First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 106705
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Jean-François Brunette (RETIRED) <formula7@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 106705 depends on: Show dependency tree
Bug 106705 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-09-20 11:19 0000 
Description:
A vulnerability has been reported in Webmin and Usermin, which can be exploited
by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an unspecified error in the authentication
process. This can be exploited to access Webmin or Usermin without providing a
valid username and password.

Successful exploitation requires that full PAM conversations has been enabled
via the Authentication page (not default setting).

The vulnerability has been reported in Webmin versions prior to 1.230 and
Usermin versions prior to 1.160.

Solution:
Usermin:
Update to version 1.160.
http://www.webmin.com/udownload.html

Webmin:
Update to version 1.230.
http://www.webmin.com/download.html

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-09-20 23:37:15 0000 ------- 
Please advise and bump as necessary.  
  
I assume that "Support full PAM conversations" is not enabled as default. 
 
http://www.webmin.com/changes.html

------- Comment #2 From Jeremy Huddleston (RETIRED) 2005-09-21 01:05:39 0000 ------- 
We don't support pam in webmin because of bug #62123, so it is certainly off by
default.  I'll bump webmin/usermin in a few...

------- Comment #3 From Sune Kloppenborg Jeppesen 2005-09-21 12:52:09 0000 ------- 
Just posted to BugTraq seems to indicate that this is worse than first 
expected: 
 
Overview: 
--------- 
  A vulnerability that could result in a session ID spoofing exists in  
  miniserv.pl, which is a webserver program that gets both Webmin and  
  Usermin to run. 
 
 
Problem Description: 
-------------------- 
  Webmin is a web-based system administration tool for Unix. Usermin 
  is a web interface that allows all users on a Unix system to easily 
  receive mails and to perform SSH and mail forwarding configuration. 
 
  Miniserv.pl is a webserver program that  both Webmin and Usermin 
  to run. Miniserv.pl carries out named pipe communication between the  
  parent and the child process during the creation and Confirmation of  
  effectiveness of a session ID (session used for access control via  
  the Web). 
 
  Miniserv.pl does not check whether metacharacters, such as line feed  
  or carriage return, are included with user supplied strings during the  
  PAM(Pluggable Authentication Modules) authentication process. 
 
  Exploitation therefore, could make it possible for attackers to bypass 
  authentication and execute arbitrary command as root.

------- Comment #4 From Jeremy Huddleston (RETIRED) 2005-09-21 16:58:46 0000 ------- 
alpha: mark both
hppa: mark both
mips: mark webmin
ppc: mark both
ppc64: mark both
s390: mark webmin

------- Comment #5 From Markus Rothe 2005-09-22 00:09:23 0000 ------- 
stable on ppc64

------- Comment #6 From Fernando J. Pereda (RETIRED) 2005-09-22 07:19:05 0000 ------- 
Both stable on alpha

Cheers,
Ferdy

------- Comment #7 From Michael Hanselmann (hansmi) (RETIRED) 2005-09-22 11:01:58 0000 ------- 
Stable on ppc and hppa

------- Comment #8 From Thierry Carrez (RETIRED) 2005-09-24 04:00:50 0000 ------- 
GLSA 200509-17
mips should mark webmin ~ to benefit from GLSA
First Last Prev Next    No search results available      Search page      Enter new bug