Security Advisory: [SNS Advisory No.88] Webmin Directory Traversal Vulnerability

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  [SA20774] BNBT EasyTracker Cross-Site Scripting Vulnerabilities
  [SA20760] Project EROS bbsengine Multiple Vulnerabilities
  [SA20777] Webmin Directory Traversal Vulnerability
  vlbook 1.2 XSS Attack

From: SNS
Date: 23.06.2006
Subject: [SNS Advisory No.88] Webmin Directory Traversal Vulnerability

----------------------------------------------------------------------
SNS Advisory No.88
Webmin Directory Traversal Vulnerability

Problem first discovered on: Sun, 04 Jun 2006
Published on: Fri, 23 Jun 2006
----------------------------------------------------------------------

Severity Level:
---------------
Medium

Overview:
---------
Webmin for Windows contains directory traversal vulnerability that
allows remote attackers to download arbitrary files without authentication.

Problem Description:
--------------------
Webmin is a web-based system administration tool for Unix, MacOS X and
Windows platform.

Webmin 1.270 and earlier versions does not properly handle "\" (backslash).
On Windows platform, this allows attackers to access outside of the public
directory and files.

In default configurations of Webmin, it is required authentication to
access almost directories under top page. But there are some directories
where is not required authentication to access. For example, the directory
which stores the image used before login.

Therefore, by exploiting directory traversal vulnerability from these
directories, the vulnerability allows remote attackers to download the
contents of arbitrary files without authentication.

Affected Versions:
------------------
Webmin (on Windows) Version 1.270 and earlier versions

Solution:
---------
This problem can be addressed by upgrading Webmin to 1.280 or later.

http://www.webmin.com/

Discovered by:
--------------
Keigo Yamazaki (LAC)

Thanks to:
----------
This SNS Advisory is being published in coordination with Information-technology
Promotion Agency, Japan (IPA) and JPCERT/CC.

http://jvn.jp/jp/JVN%2367974490/index.html
http://www.ipa.go.jp/security/vuln/documents/2006/JVN_67974490_webmin.html

Disclaimer:
-----------
The information contained in this advisory may be revised without prior
notice and is provided as it is. Users shall take their own risk when
taking any actions following reading this advisory. LAC Co., Ltd.
shall take no responsibility for any problems, loss or damage caused
by, or by the use of information provided here.

This advisory can be found at the following URL:
http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/88_e.html
----------------------------------------------------------------------