发布时间 :2004-08-06 00:00:00
修订时间 :2016-10-17 22:46:21

[原文]Unknown vulnerability in Webmin 1.140 allows remote attackers to bypass access control rules and gain read access to configuration information for a module.



- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20040611 [SNS Advisory No.74] Webmin Access Control Rule Bypass Vulnerability
(VENDOR_ADVISORY)  XF  webmin-bypass-security(16333)

- 漏洞信息

中危 访问验证错误
2004-08-06 00:00:00 2005-10-20 00:00:00

- 公告与补丁

        Webmin Upgrade webmin-1.150.tar.gz

- 漏洞信息 (F33713)

dsa526.txt (PacketStormID:F33713)
2004-07-03 00:00:00
Matt Zimmerman

Debian Security Advisory DSA 526-1 - Two vulnerabilities in Webmin 1.140 allow remote attackers to bypass access control rules and the ability to brute force IDs and passwords.

Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 526-1                                        Matt Zimmerman
July 3rd, 2004                
- --------------------------------------------------------------------------

Package        : webmin
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE Ids        : CAN-2004-0582 CAN-2004-0583

Two vulnerabilities were discovered in webmin:

CAN-2004-0582: Unknown vulnerability in Webmin 1.140 allows remote
 attackers to bypass access control rules and gain read access to
 configuration information for a module.

CAN-2004-0583: The account lockout functionality in (1) Webmin 1.140
 and (2) Usermin 1.070 does not parse certain character strings, which
 allows remote attackers to conduct a brute force attack to guess user
 IDs and passwords.

For the current stable distribution (woody), these problems have been
fixed in version 0.94-7woody2.

For the unstable distribution (sid), these problems have been fixed in
version 1.150-1.

We recommend that you update your webmin package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:
      Size/MD5 checksum:     1126 995ac5b48cbc4baf168d89aea22e3258
      Size/MD5 checksum:    63417 8c70be8b163bf819c8e6fca95b898654
      Size/MD5 checksum:  4831737 114c7ca2557c17faebb627a3de7acb97

  Architecture independent components:
      Size/MD5 checksum:   223884 22de96c300bc414b2f2982d077190a7c
      Size/MD5 checksum:   181060 2ca3ebb2b494877720b400e9a8a19130
      Size/MD5 checksum:    32944 00283db28697c6104869afd8599bd691
      Size/MD5 checksum:    28296 968a289d95e6c665df672a3e151425cb
      Size/MD5 checksum:    32568 61e0a5f74bc0bbc41caeaabc0fb5de99
      Size/MD5 checksum:  1258080 ca65a0dd02df1f6d52884114c0373cf4
      Size/MD5 checksum:    27010 ca3b05a95193cf97c6348b1f44ae03b6
      Size/MD5 checksum:    97166 229fc6f7eedbef4663ed1587d4b1a724
      Size/MD5 checksum:    55360 f62c16dd09bae16329470911174c45b9
      Size/MD5 checksum:    27938 1bf4b912a833fbb8fd709f3319d2fa82
      Size/MD5 checksum:    21688 f6a85cf21843bea1f9856f559dca2469
      Size/MD5 checksum:    46456 297501fccf6eeee31a6b02b9fbc3a3ec
      Size/MD5 checksum:    32094 6870567dff48f54dc846216223da8e3a
      Size/MD5 checksum:   103388 2c95c4cf6ae9fc4b320c43aac48fa1bb
      Size/MD5 checksum:    63490 fd37e7a07dabe8cb016a3037aba75796
      Size/MD5 checksum:   121704 220d406600a9f355df3a916a1627a7cc
      Size/MD5 checksum:    67036 90a3b2bf04d954c11156194a788ce1cc
      Size/MD5 checksum:   209084 68a0cf048a8a585a7c63abca9d31fbc4
      Size/MD5 checksum:    78792 347840e8305a3c16f053e9bcf4389594
      Size/MD5 checksum:    21026 fd312485daa6d1b97db57f960cb6d2f8
      Size/MD5 checksum:    39820 a98ed9cf6633f0d844e5dcdf07330237
      Size/MD5 checksum:    89304 c756d2c966ad30165fdba6aa9956af4c
      Size/MD5 checksum:    36384 adea65391d94ab7e4902f120a134a9d7
      Size/MD5 checksum:   133746 db13e84d7c2613248daff848a3b826bc
      Size/MD5 checksum:   240714 3d6ddce61af213c76b53843b59d4ac8f
      Size/MD5 checksum:    91650 db9819b53497d70653e0c6eac5f748b6
      Size/MD5 checksum:   223974 adbeb70d3fd39f2aaa10b8d642f8f0db
      Size/MD5 checksum:    43666 78f683b147d29340e0ae87c2919afa98
      Size/MD5 checksum:     8406 f7237e77cc5d19b5c4048b4fc05300eb
      Size/MD5 checksum:    43452 606bf0ab3115e71e59345393492d0dd8
      Size/MD5 checksum:    26750 92533f3c91f2b285729a1b5299f3ee46
      Size/MD5 checksum:   113522 2d60c4a473e533014c5750d3e3a7366f
      Size/MD5 checksum:    32648 12d6edfc27ef9087c344cd24093e947d
      Size/MD5 checksum:   514162 f4b38b85faa032ffe0715929df40551c

  Intel IA-32 architecture:
      Size/MD5 checksum:    29432 615495ff454f129d404a720f6ede5993

  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>
Version: GnuPG v1.2.4 (GNU/Linux)


- 漏洞信息

Webmin Arbitrary Module Configuration Information Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality Upgrade
Exploit Unknown Vendor Verified

- 漏洞描述

Webmin contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an unspecified error occurs, which will disclose configuration information about any module resulting in a loss of confidentiality.

- 时间线

2004-06-07 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.150 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Webmin Configuration Module Information Disclosure Vulnerability
Access Validation Error 10522
Yes No
2004-06-11 12:00:00 2009-07-12 05:16:00
Discovery of this issue is credited to Keigo Yamazaki.

- 受影响的程序版本

Webmin Webmin 1.140
Webmin Webmin 1.0 70
+ HP Apache-Based Web Server 1.3.27 .01
+ HP Apache-Based Web Server 1.3.27 .01
+ HP Webmin-Based Admin 1.0.1 .01
+ HP Webmin-Based Admin 1.0.1 .01
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
Webmin Webmin 1.150

- 不受影响的程序版本

Webmin Webmin 1.150

- 漏洞讨论

Webmin is reportedly prone to a vulnerability that allow for unauthorized disclosure of the configuration of a module. This issue is due to an access validation error.

This issue may allow an attacker to view the configuration of a module for the affected application that may facilitate further attacks against the affected system.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: &lt;;.

- 解决方案

The vendor has released an upgrade dealing with this issue.

Turbolinux has released advisory 20050207 [TURBOLINUX SECURITY INFO] 07/Feb/2005 to address various issues. Please see the referenced advisory for more information.

Webmin Webmin 1.0 70

Webmin Webmin 1.140

- 相关参考