Summary: | app-admin/{usermin|webmin}: PAM Authentication Bypass Vulnerability and possible code execution | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jean-François Brunette (RETIRED) <formula7> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | eradicator |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/16858/ | ||
Whiteboard: | C1? [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Jean-François Brunette (RETIRED)
2005-09-20 11:19:08 UTC
Please advise and bump as necessary. I assume that "Support full PAM conversations" is not enabled as default. http://www.webmin.com/changes.html We don't support pam in webmin because of bug #62123, so it is certainly off by default. I'll bump webmin/usermin in a few... Just posted to BugTraq seems to indicate that this is worse than first expected: Overview: --------- A vulnerability that could result in a session ID spoofing exists in miniserv.pl, which is a webserver program that gets both Webmin and Usermin to run. Problem Description: -------------------- Webmin is a web-based system administration tool for Unix. Usermin is a web interface that allows all users on a Unix system to easily receive mails and to perform SSH and mail forwarding configuration. Miniserv.pl is a webserver program that both Webmin and Usermin to run. Miniserv.pl carries out named pipe communication between the parent and the child process during the creation and Confirmation of effectiveness of a session ID (session used for access control via the Web). Miniserv.pl does not check whether metacharacters, such as line feed or carriage return, are included with user supplied strings during the PAM(Pluggable Authentication Modules) authentication process. Exploitation therefore, could make it possible for attackers to bypass authentication and execute arbitrary command as root. alpha: mark both hppa: mark both mips: mark webmin ppc: mark both ppc64: mark both s390: mark webmin stable on ppc64 Both stable on alpha Cheers, Ferdy Stable on ppc and hppa GLSA 200509-17 mips should mark webmin ~ to benefit from GLSA |