(Conectiva Issues Fix) Webmin Discloses Module Configuration Data to Remote Authenticated Users
|
|
SecurityTracker Alert ID: 1010718
|
|
SecurityTracker URL: http://securitytracker.com/id?1010718
|
|
CVE Reference: CAN-2004-0582
(Links to External Site)
|
Date: Jul 17 2004
|
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.140 and prior versions
|
Description: Two vulnerabilities were reported in Webmin. A remote user can cause user accounts to be locked out. A remote authenticated user can view module configuration data.
The vendor reported that a remote authenticated user can view the configuration of arbitrary modules, even if the user should not
have access to the module.
It is also reported that a remote user can send an invalid username or password to lock out valid
users.
|
Impact: A remote authenticated user can view the configuration of arbitrary modules on the system.
A remote user can lock out a valid user's account.
|
Solution: Conectiva has released the following fixes:
ftp://atualizacoes.conectiva.com.br/10/SRPMS/webmin-1.150-63242U10_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/
task-webmin-1.150-63242U10_1cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/task-webmin-desktop-1.150-63242U10_1cl.noarch.rpm
ftp://atualizacoes.conectiva.com
.br/10/RPMS/task-webmin-server-1.150-63242U10_1cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/webmin-1.150-63242U10_1cl.noarch.rpm
ftp://atualizacoes.conecti
va.com.br/10/RPMS/webmin-base-1.150-63242U10_1cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/webmin-desktop-1.150-63242U10_1cl.noarch.rpm
ftp://atualizacoes.
conectiva.com.br/10/RPMS/webmin-other-1.150-63242U10_1cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/webmin-server-1.150-63242U10_1cl.noarch.rpm
ftp://atuali
zacoes.conectiva.com.br/10/RPMS/webmin-theme-mscstyle3-1.150-63242U10_1cl.noarch.rpm
|
Vendor URL: www.webmin.com/changes-1.150.html (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (Conectiva)
|
Underlying OS Comments: 10
|
Reported By: Conectiva Updates <secure@conectiva.com.br>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 16 Jul 2004 19:06:45 -0300
From: Conectiva Updates <secure@conectiva.com.br>
Subject: [Conectiva-updates] [CLA-2004:848] Conectiva Security Announcement
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : webmin
SUMMARY : Vulnerability in Webmin's ACL
DATE : 2004-07-16 19:06:00
ID : CLA-2004:848
RELEVANT
RELEASES : 10
- -------------------------------------------------------------------------
DESCRIPTION
Webmin[1] is an often used web-based administration interface for
Unix systems.
Keigo Yamazaki reported[2] a vulnerability[3] in webmin that would
allow unauthenticated users to obtain read access to a module's
configuration.
SOLUTION
It is recommended that all Webmin users upgrade their packages. The
Webmin service will be automatically restarted after the upgrade if
needed.
REFERENCES
1.http://www.webmin.com/
2.http://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/74_e.html
3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0582
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/10/SRPMS/webmin-1.150-63242U10_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/task-webmin-1.150-63242U10_1cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/task-webmin-desktop-1.150-63242U10_1cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/task-webmin-server-1.150-63242U10_1cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/webmin-1.150-63242U10_1cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/webmin-base-1.150-63242U10_1cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/webmin-desktop-1.150-63242U10_1cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/webmin-other-1.150-63242U10_1cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/webmin-server-1.150-63242U10_1cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/webmin-theme-mscstyle3-1.150-63242U10_1cl.noarch.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions regarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFA+FF042jd0JmAcZARAoiqAJ9owpkfx0ReHXWkHaZULm6PT1J39ACgqP3u
8/jLhmKkL1LYfhJ7xFEYNU4=
=iWzF
-----END PGP SIGNATURE-----
______________________________________________________________________
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
|
|
