Webmin Discloses Module Configuration Data to Remote Authenticated Users
|
|
SecurityTracker Alert ID: 1010422
|
|
SecurityTracker URL: http://securitytracker.com/id?1010422
|
|
CVE Reference: CAN-2004-0582
(Links to External Site)
|
Updated: Jun 24 2004
|
Original Entry Date: Jun 8 2004
|
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.140 and prior versions
|
Description: Two vulnerabilities were reported in Webmin. A remote user can cause user accounts to be locked out. A remote authenticated user can view module configuration data.
The vendor reported that a remote authenticated user can view the configuration of arbitrary modules, even if the user should not
have access to the module.
It is also reported that a remote user can send an invalid username or password to lock out valid
users.
|
Impact: A remote authenticated user can view the configuration of arbitrary modules on the system.
A remote user can lock out a valid user's account.
|
Solution: The vendor has issued a fixed version (1.150), available at:
http://www.webmin.com/
|
Vendor URL: www.webmin.com/changes-1.150.html (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 07 Jun 2004 15:19:56 -0400
Subject: http://www.webmin.com/changes-1.150.html
|
http://www.webmin.com/changes-1.150.html
> Changes since Webmin version 1.140
>
> Webmin Core
> Fixed a security hole that allowed any user to view the configuration of any module,
> even those that they should not have access to.
> Fixed a security hole that could allow an attacker to lock valid users by sending a
> bogus username or password.
|
|
