ID CVE-2006-3392
Summary Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using "..%01" sequences, which bypass the removal of "../" sequences before bytes such as "%01" are removed from the filename. NOTE: This is a different issue than CVE-2006-3274.
References
Vulnerable Configurations
  • cpe:2.3:a:usermin:usermin:1.210
    cpe:2.3:a:usermin:usermin:1.210
  • cpe:2.3:a:webmin:webmin:1.2.80
    cpe:2.3:a:webmin:webmin:1.2.80
CVSS
Base: 5.0 (as of 10-07-2006 - 07:55)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
exploit-db via4
description Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit. CVE-2006-3392. Remote exploits for multiple platform
id EDB-ID:1997
last seen 2016-01-31
modified 2006-07-09
published 2006-07-09
reporter joffer
source https://www.exploit-db.com/download/1997/
title Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure Exploit PHP
metasploit via4
description A vulnerability has been reported in Webmin and Usermin, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the handling of an URL. This can be exploited to read the contents of any files on the server via a specially crafted URL, without requiring a valid login. The vulnerability has been reported in Webmin (versions prior to 1.290) and Usermin (versions prior to 1.220).
id MSF:AUXILIARY/ADMIN/WEBMIN/FILE_DISCLOSURE
last seen 2019-02-27
modified 2017-07-24
published 2008-01-06
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/webmin/file_disclosure.rb
title Webmin File Disclosure
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_227475C209CB11DB9156000E0C2E438A.NASL
    description The webmin development team reports : An attacker without a login to Webmin can read the contents of any file on the server using a specially crafted URL. All users should upgrade to version 1.290 as soon as possible, or setup IP access control in Webmin.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21789
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21789
    title FreeBSD : webmin, usermin -- arbitrary file disclosure vulnerability (227475c2-09cb-11db-9156-000e0c2e438a)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1199.NASL
    description Several vulnerabilities have been identified in webmin, a web-based administration toolkit. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CVE-2005-3912 A format string vulnerability in miniserv.pl could allow an attacker to cause a denial of service by crashing the application or exhausting system resources, and could potentially allow arbitrary code execution. - CVE-2006-3392 Improper input sanitization in miniserv.pl could allow an attacker to read arbitrary files on the webmin host by providing a specially crafted URL path to the miniserv http server. - CVE-2006-4542 Improper handling of null characters in URLs in miniserv.pl could allow an attacker to conduct cross-site scripting attacks, read CGI program source code, list local directories, and potentially execute arbitrary code. Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22908
    published 2006-10-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22908
    title Debian DSA-1199-1 : webmin - multiple vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-125.NASL
    description Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files. NOTE: This is a different issue than CVE-2006-3274. Updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 23876
    published 2006-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23876
    title Mandrake Linux Security Advisory : webmin (MDKSA-2006:125)
  • NASL family CGI abuses
    NASL id USERMIN_1220_INFO_DISCLOSURE.NASL
    description The Usermin install on the remote host is affected by an information disclosure flaw in the Perl script 'miniserv.pl'. This flaw could allow a remote, unauthenticated attacker to read arbitrary files on the affected host, subject to the privileges of the web server user id.
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 77704
    published 2014-09-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77704
    title Usermin 'miniserv.pl' Arbitrary File Disclosure
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200608-11.NASL
    description The remote host is affected by the vulnerability described in GLSA-200608-11 (Webmin, Usermin: File Disclosure) A vulnerability in both Webmin and Usermin has been discovered by Kenny Chen, wherein simplify_path is called before the HTML is decoded. Impact : A non-authenticated user can read any file on the server using a specially crafted URL. Workaround : For a temporary workaround, IP Access Control can be setup on Webmin and Usermin.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 22169
    published 2006-08-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22169
    title GLSA-200608-11 : Webmin, Usermin: File Disclosure
  • NASL family CGI abuses
    NASL id WEBMIN_1290.NASL
    description The version of Webmin installed on the remote host is affected by an information disclosure flaw due to a flaw in the Perl script 'miniserv.pl'. This flaw could allow a remote, unauthenticated attacker to read arbitrary files on the affected host, subject to the privileges of the web server user .
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 21785
    published 2006-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21785
    title Webmin 'miniserv.pl' Arbitrary File Disclosure
refmap via4
bid 18744
bugtraq
  • 20060709 Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit
  • 20060710 Re: Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit
  • 20060715 Re: Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit
  • 20060715 Webmin / Usermin Arbitrary File Disclosure Vulnerability Perl
cert-vn VU#999601
confirm http://www.webmin.com/changes.html
debian DSA-1199
gentoo GLSA-200608-11
mandriva MDKSA-2006:125
osvdb 26772
secunia
  • 20892
  • 21105
  • 21365
  • 22556
vim
  • 20060630 Webmin traversal - changelog
  • 20060711 Re: Webmin traversal - changelog
vupen ADV-2006-2612
Last major update 07-03-2011 - 00:00
Published 06-07-2006 - 16:05
Last modified 18-10-2018 - 12:47
Back to Top