Description: Two vulnerabilities have been reported in Webmin and Usermin, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose potentially sensitive information. 1) Some unspecified input passed via the URL isn't properly verified before being used. This can be exploited to disclose the source code of arbitrary CGI and Perl programs. 2) Some unspecified input passed via the URL isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities have been reported in the following versions: * Webmin versions prior to 1.296. * Usermin versions prior to 1.226. Solution: Webmin: The vulnerabilities have been fixed in the 1.296 development version. Usermin: The vulnerabilities have been fixed in the 1.226 development version.
eradicator please bump
SuperStu could you make another security bump?
*** Bug 148900 has been marked as a duplicate of this bug. ***
Current is 1.300
Created attachment 97935 [details, diff] webmin-1.300-postfix.patch The postfix patch doesn't apply cleanly anymore. Attached is a new version, which can be used with webmin 1.300. Please see attachment (id=97933) for the patch output I got with the old version of the patch.
*** Bug 148916 has been marked as a duplicate of this bug. ***
when is 1.3 going to be released in portage?
-dev mailed.
could someone pls bump this.... the bug is way too old stuart? web-apps? eradicator? from webmin site: Remote source code access and XSS bug Effects Webmin versions below 1.296, and Usermin versions below 1.226, on any operating system. An attacker can view the source code of Webmin CGI and Perl programs using a specially crafted URL. Because the source code for Webmin is freely available, this issue should only be of concern to sites that have custom modules for which they want the source to remain hidden. The XSS bug makes use of a similar technique to craft a URL that can allow arbitrary Javascript to be executed in the user's browser if a malicious link is clicked on. Thanks for Keigo Yamazaki of Little eArth Corporation for finding this bug.
usermin and webmin have been updated in portage.
finally... arches, pls test webmin-1.300/usermin-1.230 and mark stable if possible
In x86: Both packages emerges and works fine. Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r8 i586) ================================================================= System uname: 2.6.17-gentoo-r8 i586 AMD-K6(tm) 3D processor Gentoo Base System version 1.12.5 Last Sync: Tue, 17 Oct 2006 13:50:01 +0000 distcc 2.18.3 i586-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i586-pc-linux-gnu" CFLAGS="-O2" CHOST="i586-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/" LINGUAS="" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.belnet.be/packages/gentoo-portage" USE="x86 bitmap-fonts bzip2 cairo cdr cli crypt dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode fam firefox fortran gif gpm gstreamer hal input_devices_evdev input_devices_keyboard input_devices_mouse isdnlog jpeg kernel_linux ldap libg++ mad mikmod mp3 mpeg ncurses nptl nptlonly ogg opengl pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_apm video_cards_ark video_cards_ati video_cards_chips video_cards_cirrus video_cards_cyrix video_cards_dummy video_cards_fbdev video_cards_glint video_cards_i128 video_cards_i740 video_cards_i810 video_cards_imstt video_cards_mga video_cards_neomagic video_cards_nsc video_cards_nv video_cards_rendition video_cards_s3 video_cards_s3virge video_cards_savage video_cards_siliconmotion video_cards_sis video_cards_sisusb video_cards_tdfx video_cards_tga video_cards_trident video_cards_tseng video_cards_v4l video_cards_vesa video_cards_vga video_cards_via video_cards_vmware video_cards_voodoo vorbis win32codecs xml xorg xv zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
ppc64 stable
1. both packages emerge fine on x86 2. pass collision test 3. both seem to work emerge --info Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17.13 i686) ================================================================= System uname: 2.6.17.13 i686 AMD Athlon(TM) XP1800+ Gentoo Base System version 1.12.5 Last Sync: Tue, 17 Oct 2006 16:50:01 +0000 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LANG="en_GB.utf8" LINGUAS="en de en_GB" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/normal" SYNC="rsync://192.168.2.1/gentoo-portage" USE="x86 3dnow 3dnowext X a52 aac acpi alsa apache2 bash-completion berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt css cups dbus divx4linux dlloader dri dts dvd dvdr dvdread elibc_glibc emboss exif fam ffmpeg firefox font-server fortran gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libclamav libg++ linguas_de linguas_en linguas_en_GB logitech-mouse mad mikmod mmx mmxext mono mozcalendar mozdevelop mozsvg mp3 mpeg ncurses network nls nptl nptlonly nvidia oav ogg opengl oss pam pcre perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl tcltk tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_none video_cards_nv vorbis win32codecs xine xinerama xml xorg xorg-x11 xprint xv xvg xvid zlib" Unset: CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
x86 done
SPARC stable
ppc stable
stable on hppa.
alpha stable. arm & s390 are already stable, removing them from CC.
Thanks. Time to vote: i vote no for a web application which has vulnerabilities regurlarly.
IMHO that is not a good base for a decision. If we feel this has issues on a regular basis, we should mask it like phpBB or at least make it unstable only, thus taking it out of the scope of GentooSecurity.
everything has vulnerabilities. the problem with this package is that it's not updated as soon as it could be. I believe this last bug was only a problem if you were using your own custom proprietary module. however a fix was available and a new build was available a month before the maintainer got the new version committed.
> everything has vulnerabilities. as for Secunia, 3 advisories in 2006 until now, that makes webmin/usermin belong to the most usually vulnerable softwares. It's like phpBB and a few other web-apps. Many other packages lack of responsive maintainers too, but they don't contain as many vulnerabilities per year. Just for that, and because the impact is not critical at all, i vote no-glsa. (we won't issue a GLSA for each XSS discovered in webmin....) Frilled is right: the masking of this package could be considered by the maintainers if this software reveals to be really often affected by known vulnerabilities. > however a fix was available and a new build was available a month before the > maintainer got the new version committed. A version bump may be long, that doesn't change anything to the GLSA publication decisions. But indeed, if a security bug is persistent on a package without maintainer, this package must be package.masked. Hopefully that's actually not the case for webmin/usermin thanks to Jeremy. :)
this is the description from <http://webmin.com/security.html> <quote> Remote source code access and XSS bug Effects Webmin versions below 1.296, and Usermin versions below 1.226, on any operating system. An attacker can view the source code of Webmin CGI and Perl programs using a specially crafted URL. Because the source code for Webmin is freely available, this issue should only be of concern to sites that have custom modules for which they want the source to remain hidden. The XSS bug makes use of a similar technique to craft a URL that can allow arbitrary Javascript to be executed in the user's browser if a malicious link is clicked on. Thanks for Keigo Yamazaki of Little eArth Corporation for finding this bug. </quote> /me votes no GLSA (viewing public source code or XSS with this kind of application does not warrant a GLSA I think)
