Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 181385 - app-admin/webmin < 1.350 and usermin < 1.280 "pam_login.cgi" XSS (CVE-2007-3156)
Summary: app-admin/webmin < 1.350 and usermin < 1.280 "pam_login.cgi" XSS (CVE-2007-3156)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa] p-y
: 180607 (view as bug list)
Depends on:
Reported: 2007-06-09 08:25 UTC by Pierre-Yves Rofes (RETIRED)
Modified: 2007-07-06 09:10 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-09 08:25:35 UTC
Some vulnerabilities have been reported in Webmin, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to unspecified parameters in pam_login.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are reported in version 1.340. Prior versions may also be affected.

Update to version 1.350.

Provided and/or discovered by:
Reported by the vendor.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-09 08:28:32 UTC
Setting status and cc'ing maintainer. please advise and bump as necessary.
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2007-06-09 08:38:33 UTC
*** Bug 180607 has been marked as a duplicate of this bug. ***
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2007-06-09 08:48:08 UTC
beu's being retired... I'm adding armin76 to CC, since he did the last security bump.
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2007-06-09 14:23:07 UTC
1.350 in the tree
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-09 17:04:58 UTC
Thanks Raul.
Arches, please test and mark stable. Target keywords are:
webmin-1.350.ebuild:KEYWORDS="alpha amd64 arm hppa ppc ppc64 s390 sh sparc x86"
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2007-06-09 17:46:53 UTC
ppc64 stable
Comment 7 Jeroen Roovers gentoo-dev 2007-06-09 22:25:22 UTC
Stable for HPPA.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2007-06-10 13:49:35 UTC
alpha/x86 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2007-06-10 14:38:20 UTC
ppc stable
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2007-06-11 13:03:16 UTC
sparc stable.
Comment 11 Christoph Mende (RETIRED) gentoo-dev 2007-06-12 23:21:17 UTC
amd64 done
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-13 18:58:37 UTC
I tend to vote YES.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-20 08:27:46 UTC
I tend to vote yes too.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-25 16:25:18 UTC
In order to stealth (and use) the victim's cookies, an attacker has to:
- have access to the webmin interface (which i think is highly insecure)
- bring the victim to a crafted, malicious URL.

Usually i vote no, but given that a webmin credentials compromise is likely to lead to a complete system compromise, i will vote yes. I still think running webmin over internet is silly.
Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-25 16:45:03 UTC
usermin is certainly affected too, since the pam_login.cgi file is exactly the same one.
(between vulnerable webmin-1.340 and usermin-1.270)

Raul could you handle this (patch or bump as necessary), thanks in advance.
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2007-06-25 17:02:59 UTC
app-admin/usermin-1.280 in the tree
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-25 17:31:39 UTC
Thx Raul.
Arches, please test and mark stable usermin-1.280. Target keywords are:
usermin-1.280:KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86"
Comment 18 René Nussbaumer (RETIRED) gentoo-dev 2007-06-25 17:44:32 UTC
hppa done.
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2007-06-25 17:56:15 UTC
alpha/x86 stable
Comment 20 Christoph Mende (RETIRED) gentoo-dev 2007-06-25 18:51:13 UTC
amd64 done
Comment 21 Gustavo Zacarias (RETIRED) gentoo-dev 2007-06-25 21:06:29 UTC
sparc stable.
Comment 22 Markus Rothe (RETIRED) gentoo-dev 2007-06-27 07:27:16 UTC
ppc64 stable
Comment 23 Tobias Scherbaum (RETIRED) gentoo-dev 2007-06-28 18:43:46 UTC
ppc stable, ready for glsa voting.
Comment 24 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-29 13:33:47 UTC
thanks Tobias, but we already voted previously :)
Comment 25 Tobias Scherbaum (RETIRED) gentoo-dev 2007-06-29 14:45:11 UTC
(In reply to comment #24)
> thanks Tobias, but we already voted previously :)

nevermind then :P
Comment 26 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-07-06 09:10:55 UTC
GLSA 200707-05