[Japanese]

JVNDB-2006-000939

Multiple vulnerabilities in Webmin and Usermin

Overview

Webmin and Usermin, web-based system management tools, contain the following vulnerabilities:

- Execution of arbitrary files and viewing source code by bypassing Webmin and Usermin's access restrictions
- Cross-site scripting

We are aware that these vulnerabilities have been addressed in Webmin development version 1.297 and Usermin development version 1.226, as of August 31, 2006. Please refer to "Development Versions of Webmin and Usermin" on the vendor's website for information on the latest versions of the software.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Webmin Project
  • Usermin Version 1.220 and earlier
  • Webmin Version 1.290 and earlier
MIRACLE LINUX CORPORATION
  • Asianux Server 2.0
  • Asianux Server 2.1

Impact

A remote attacker could conduct the followings:

- Steal Webmin and Usermin's configuration information
- Execute an arbitrary script on the user's web browser
- Possibly conduct a session hijack attack if session information from a cookie is leaked
Solution

Vendor Information

Webmin Project MIRACLE LINUX CORPORATION
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2006-4542
References

  1. JVN : JVN#99776858
  2. National Vulnerability Database (NVD) : CVE-2006-4542
  3. Secunia Advisory : SA21690
  4. Secunia Advisory : SA22114
  5. SecurityFocus : 19820
  6. ISS X-Force Database : 28699
  7. SecurityTracker : 1016776
  8. SecurityTracker : 1016777
  9. FrSIRT Advisories : FrSIRT/ADV-2006-3424
Revision History

  • [2008/05/21]
      Web page published