209453 – (CVE-2008-0720) app-admin/{webmin <1.400|usermin-1.330} - XSS security hole (CVE-2008-0720)

Bug 209453 (CVE-2008-0720) - app-admin/{webmin <1.400|usermin-1.330} - XSS security hole (CVE-2008-0720)

Summary: app-admin/{webmin <1.400|usermin-1.330} - XSS security hole (CVE-2008-0720)

Status:	RESOLVED FIXED

Alias:	CVE-2008-0720

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/28827
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-02-09 19:52 UTC by Raúl Porcel (RETIRED)
Modified:	2020-04-04 12:15 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Raúl Porcel (RETIRED) gentoo-dev

2008-02-09 19:52:49 UTC

XSS (cross-site scripting) security hole
Affects Webmin versions up to 1.390, and Usermin up to 1.320.
    This attack could open users who visit un-trusted websites while having Webmin open in the same browser up to having their session cookie captured, which could then allow an attacker to login to Webmin without a password. The quick fix is to go to the Webmin Configuration module, click on the Trusted Referers icon, set Referrer checking enabled? to Yes, and un-check the box Trust links from unknown referrers. Webmin 1.400 and Usermin 1.330 will make these settings the defaults.

Comment 1 Raúl Porcel (RETIRED) gentoo-dev

2008-02-09 19:53:51 UTC

Bah...

Comment 2 Raúl Porcel (RETIRED) gentoo-dev

2008-02-09 20:23:31 UTC

app-admin/webmin-1.400
app-admin/usermin-1.330

in the tree

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-02-10 15:12:32 UTC

Arches please test and mark stable. Target keywords are:

usermin-1.330.ebuild:KEYWORDS="alpha amd64 hppa ~ia64 ppc ppc64 sparc x86"
webmin-1.400.ebuild:KEYWORDS="alpha amd64 arm hppa ppc ppc64 s390 sh sparc x86"

Comment 4 Markus Meier gentoo-dev

2008-02-10 16:10:42 UTC

x86 stable

Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev

2008-02-10 17:48:07 UTC

ppc stable

Comment 6 Brent Baude (RETIRED) gentoo-dev

2008-02-11 03:01:05 UTC

ppc64 stable

Comment 7 Raúl Porcel (RETIRED) gentoo-dev

2008-02-11 16:27:27 UTC

alpha/sparc stable

Comment 8 Jeroen Roovers (RETIRED) gentoo-dev

2008-02-11 18:04:09 UTC

Stable for HPPA.

Comment 9 Steve Dibb (RETIRED) gentoo-dev

2008-02-20 04:25:51 UTC

amd64 stable

Comment 10 Robert Buchholz (RETIRED) gentoo-dev

2008-02-23 19:08:06 UTC

Ready for decision, I vote NO.

Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-02-24 09:00:54 UTC

voting NO too, and closing.

Comment 12 Peter Volkov (RETIRED) gentoo-dev

2008-02-24 19:57:56 UTC

Fixed in release snapshot.