Webmin URL Parameter Validation Flaw Lets Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1018731
|
|
SecurityTracker URL: http://securitytracker.com/id?1018731
|
|
CVE Reference: CVE-2007-5066
(Links to External Site)
|
Updated: Mar 20 2008
|
Original Entry Date: Sep 24 2007
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 1.370
|
Description: A vulnerability was reported in Webmin, affecting Windows-based systems. A remote authenticated user can execute arbitrary commands on the target system.
A remote authenticated user can send specially crafted URL parameters to execute arbitrary Windows commands on the target system.
The commands will run with the privileges of the target web service.
Only Windows-based platforms are affected.
|
Impact: A remote authenticated user can execute arbitrary commands on the target system.
|
Solution: The vendor has issued a fixed version (1.370).
The Webmin advisory is available at:
http://www.webmin.com/security.html
|
Vendor URL: www.webmin.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 24 Sep 2007 13:35:16 -0400
Subject: Webmin
|
Windows-only command execution bug
Affects Webmin on Windows only, versions before 1.370.
Any user logged into Webmin can execute any command using special URL parameters.
This could be used by less-privileged Webmin users to raise their level of access.
|
|
