Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 181385

Summary: app-admin/webmin < 1.350 and usermin < 1.280 "pam_login.cgi" XSS (CVE-2007-3156)
Product: Gentoo Security Reporter: Pierre-Yves Rofes (RETIRED) <py>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: armin76, beu, jesse
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/25580/
Whiteboard: B4 [glsa] p-y
Package list:
Runtime testing required: ---

Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-09 08:25:35 UTC 
Some vulnerabilities have been reported in Webmin, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to unspecified parameters in pam_login.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are reported in version 1.340. Prior versions may also be affected.

Solution:
Update to version 1.350.

Provided and/or discovered by:
Reported by the vendor.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-09 08:28:32 UTC 
Setting status and cc'ing maintainer. please advise and bump as necessary.
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2007-06-09 08:38:33 UTC 
*** Bug 180607 has been marked as a duplicate of this bug. ***
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2007-06-09 08:48:08 UTC 
beu's being retired... I'm adding armin76 to CC, since he did the last security bump.
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2007-06-09 14:23:07 UTC 
1.350 in the tree
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-09 17:04:58 UTC 
Thanks Raul.
Arches, please test and mark stable. Target keywords are:
webmin-1.350.ebuild:KEYWORDS="alpha amd64 arm hppa ppc ppc64 s390 sh sparc x86"
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2007-06-09 17:46:53 UTC 
ppc64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2007-06-09 22:25:22 UTC 
Stable for HPPA.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2007-06-10 13:49:35 UTC 
alpha/x86 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2007-06-10 14:38:20 UTC 
ppc stable
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2007-06-11 13:03:16 UTC 
sparc stable.
Comment 11 Christoph Mende (RETIRED) gentoo-dev 2007-06-12 23:21:17 UTC 
amd64 done
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-13 18:58:37 UTC 
I tend to vote YES.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-20 08:27:46 UTC 
I tend to vote yes too.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-25 16:25:18 UTC 
In order to stealth (and use) the victim's cookies, an attacker has to:
- have access to the webmin interface (which i think is highly insecure)
- bring the victim to a crafted, malicious URL.

Usually i vote no, but given that a webmin credentials compromise is likely to lead to a complete system compromise, i will vote yes. I still think running webmin over internet is silly.
Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-25 16:45:03 UTC 
usermin is certainly affected too, since the pam_login.cgi file is exactly the same one.
(between vulnerable webmin-1.340 and usermin-1.270)

Raul could you handle this (patch or bump as necessary), thanks in advance.
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2007-06-25 17:02:59 UTC 
app-admin/usermin-1.280 in the tree
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-25 17:31:39 UTC 
Thx Raul.
Arches, please test and mark stable usermin-1.280. Target keywords are:
usermin-1.280:KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86"
Comment 18 René Nussbaumer (RETIRED) gentoo-dev 2007-06-25 17:44:32 UTC 
hppa done.
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2007-06-25 17:56:15 UTC 
alpha/x86 stable
Comment 20 Christoph Mende (RETIRED) gentoo-dev 2007-06-25 18:51:13 UTC 
amd64 done
Comment 21 Gustavo Zacarias (RETIRED) gentoo-dev 2007-06-25 21:06:29 UTC 
sparc stable.
Comment 22 Markus Rothe (RETIRED) gentoo-dev 2007-06-27 07:27:16 UTC 
ppc64 stable
Comment 23 Tobias Scherbaum (RETIRED) gentoo-dev 2007-06-28 18:43:46 UTC 
ppc stable, ready for glsa voting.
Comment 24 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-29 13:33:47 UTC 
thanks Tobias, but we already voted previously :)
Comment 25 Tobias Scherbaum (RETIRED) gentoo-dev 2007-06-29 14:45:11 UTC 
(In reply to comment #24)
> thanks Tobias, but we already voted previously :)
> 

nevermind then :P
Comment 26 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-07-06 09:10:55 UTC 
GLSA 200707-05