Info

Disclosure

Jun 29, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Webmin / Usermin contain a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an unspecified error occurs during URL handling by simplify_path() function, which will disclose files content information resulting in a loss of confidentiality.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Rumored
Disclosure: Vendor Verified
OSVDB: Web Related

Solution

Upgrade to Webmin version 1.290, Usermin version 1.220, or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Webmin

1.280

Usermin

1.210

References

Bugtraq ID: 18744
Milw0rm: 1997
Exploit Database: 1997
CVE ID: 2006-3392 (see also: NVD)
Secunia Advisory ID: 20892 21105 21365 22556
SCIP VulDB ID: 2350
VUPEN Advisory: ADV-2006-2612
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0149.html
http://attrition.org/pipermail/vim/2006-June/000910.html
http://attrition.org/pipermail/vim/2006-June/000911.html
http://attrition.org/pipermail/vim/2006-June/000912.html
Vendor Specific Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200608-11.xml
Other Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2006:125
http://www.us.debian.org/security/2006/dsa-1199
Vendor URL: http://www.webmin.com/
Vendor Specific News/Changelog Entry: http://www.webmin.com/changes.html

Credit

Kenny Chen - Webmin

Direct URL: http://osvdb.org/26772