[25383] in bugtraq
[SNS Advisory No.52] Webmin/Usermin Cross-site Scripting Vulnerability
daemon@ATHENA.MIT.EDU (snsadv@lac.co.jp)
Wed May 8 14:35:13 2002
Date: Wed, 08 May 2002 14:20:26 +0900
From: "snsadv@lac.co.jp" <snsadv@lac.co.jp>
To: bugtraq@securityfocus.com
Message-Id: <20020508141236.5D9F.SNSADV@lac.co.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
----------------------------------------------------------------------
SNS Advisory No.52
Webmin/Usermin Cross-site Scripting Vulnerability
Problem first discovered: Thu, 2 May 2002
Published: Tue, 7 May 2002
----------------------------------------------------------------------
Overview:
---------
The authentication page of both Webmin and Usermin is prone to a
cross-site scripting vulnerability.
Problem:
--------
Webmin is a web-based system administration tool for Unix. Usermin is
a web interface that allows all users on a Unix system to easily receive
mails and to perform SSH and mail forwarding configuration. A potential
cross-site scripting vulnerability may occur because the CGI script of
the authentication page used by both Webmin and Usermin, prints user's
input on the error page.
Webmin and Usermin users'session ID cookies cannot be acquired, since this
problem only occurs when users are not logged into these software packages.
However, there is a possibility that the cookie of a Web service may be
stolen if it is running on the same host as of Webmin/Usermin.
Tested Versions:
----------------
Webmin Version: 0.960
Usermin Version: 0.90
対策:
Solution:
---------
This problem can be eliminated by upgrading to Webmin version 0.970
/Usermin version 0.910, which are available at the following URL:
http://www.webmin.com/
Discovered by:
--------------
Keigo Yamazaki
Disclaimer:
-----------
All information in these advisories are subject to change without any
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.
