| VID |
22420 |
| Severity |
30 |
| Port |
10000 |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Webmin/Usermin web interface is vulnerable to multiple vulnerabilities via the NULL character. Webmin is a web-based system administration tool for Unix and Linux operating systems, and Usermin is a simplified version of Webmin designed for use by normal users rather than system administrators. Webmin versions prior to 1.296 and Usermin versions prior to 1.226 are vulnerable to multiple vulnerabilities, caused by improper handling of a URL with a null (%00) character. These vulnerabilities could allow a remote attacker to conduct cross-site scripting (XSS), read CGI program source code, and list directories.
* References:
http://www.webmin.com/security.html
http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/89_e.html
http://secunia.com/advisories/21690/
http://www.frsirt.com/english/advisories/2006/3424
* Platforms Affected:
Usermin Project, Usermin prior to 1.226
Webmin Project, Webmin prior to 1.296
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of Webmin / Usermin (Webmin 1.296 / Usermin 1.226 or later), available from the Webmin Web site at http://www.webmin.com/webmin/ |
| Related URL |
CVE-2006-4542 (CVE) |
| Related URL |
19820 (SecurityFocus) |
| Related URL |
28699,28701 (ISS) |
|
