LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Webmin/Usermin vulnerabilities

Package(s):webmin CVE #(s):
Created:May 21, 2002 Updated:January 10, 2003
Description: Webmin is a web-based interface for system administration for Unix. Webmin has cross-site scripting and session ID spoofing vulnerabilities which are fixed in the May 6, 2002 release of version 0.970. (First LWN report: May 9).

This one is scary. The session ID spoofing vulnerability allows the "possibility that arbitrary commands may be executed with root privileges." Upgrading is strongly recommended. At a minimum avoid the "preconditions for a successful exploit" by disabling password timeouts under Webmin->Configuration->Authentication.

Alerts:
SCO Group CSSA-2003-002.0 2003-01-09
Yellow Dog YDU-20020522-7 2002-05-22
Mandrake MDKSA-2002:033 2002-05-21
(Log in to post comments)

Webmin/Usermin vulnerabilities

Posted Jun 1, 2002 1:58 UTC (Sat) by rjamestaylor (guest, #339) [Link]

A seasoned Unix admin told me to avoid remote admin tools, especially web-based ones, at any cost. I didn't listen but with the revelation that such a security hole has existed until now (!) I have lost confidence in Webmin for the foreseeable future.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds