| VID |
12085 |
| Severity |
40 |
| Port |
10000 |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Webmin/Usermin web interface is vulnerable to a format string vulnerability in miniserv.pl Perl web server. Webmin is a web-based system administration tool for Unix and Linux operating systems, and Usermin is a simplified version of Webmin designed for use by normal users rather than system administrators. Webmin versions prior to 1.250 and Usermin versions prior to 1.180 are vulnerable to a format string vulnerability in miniserv.pl Web server component. By using specially-crafted values for the 'username' parameter of the 'session_login.cgi' script, a remote attacker could exploit this flaw to cause the Web server to crash or potentially to execute arbitrary code on the affected host.
* References:
http://www.dyadsecurity.com/webmin-0001.html
http://www.securityfocus.com/archive/1/archive/1/418093/100/0/threaded
http://www.webmin.com/security.html
http://secunia.com/advisories/17817/
* Platforms Affected:
Usermin Project, Usermin versions prior to 1.180
Webmin Project, Webmin versions prior to 1.250
Unix Any version
Linux Any version |
| Recommendation |
Upgrade to the latest version of Webmin / Usermin (Webmin 1.250 or Usermin 1.180 or later), available from the Webmin Web site at http://www.webmin.com/webmin/ |
| Related URL |
CVE-2005-3912 (CVE) |
| Related URL |
15629 (SecurityFocus) |
| Related URL |
23277,23380 (ISS) |
|
