[Webmin-maintainers] Bug#341394: Webmin miniserv.pl perl format
string vulnerability - Perl syslog bug attack
Andreas Hallermann
andreas at hallermann.de
Wed Nov 30 12:43:57 UTC 2005
Package: Webmin
Version: 1.180-3
Severity: grave
Tags: security
The webmin `miniserv.pl' web server component is vulnerable to a new class of
exploitable (remote code) perl format string vulnerabilities. During the login
process it is possible to trigger this vulnerability via a crafted username
parameter containing format string data. In the observed configuration the
process was running as the user root, so if remote code execution is
successful, it would lead to a full remote root compromise in a standard
configuration. A valid login is not required to trigger this vulnerability,
only access to the miniserv.pl port (default 10000).
Date Found: September 23, 2005.
Public Release: November 29, 2005.
Application: webmin miniserv.pl, *all versions below 1.250*
Credit: Jack Louis of Dyad Security
More information available at:
http://www.dyadsecurity.com/webmin-0001.html
There are new fixed versions available at http://www.webmin.com/
http://www.webmin.com/security.html says:
Perl syslog bug attack
Effects Webmin versions below 1.250 and Usermin versions below 1.180, with
syslog logging enabled.
When logging of failing login attempts via syslog is enabled, an attacker can
crash and possibly take over the Webmin webserver, due to a bug in Perl's
syslog function. Upgrading to the latest release of Webmin is recommended.
Thanks to Jack at Dyad Security for reporting this problem to me.
Since this is my first bug report to Debian I hope everything is correct..
I don't know if it is necessary to post this bug for other versions and
usermin as well. Thanks in advance!
Andreas
More information about the Webmin-maintainers
mailing list