miniserv.pl in Webmin before 1.230 and Usermin before 1.160, when “full PAM conversations” is enabled, allows remote attackers to bypass authentication by spoofing session IDs via certain metacharacters (line feed or carriage return).
archives.neohapsis.com/archives/bugtraq/2005-09/0257.html
jvn.jp/jp/JVN%2340940493/index.html
secunia.com/advisories/16858
secunia.com/advisories/17282
securityreason.com/securityalert/17
www.gentoo.org/security/en/glsa/glsa-200509-17.xml
www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/83_e.html
www.mandriva.com/security/advisories?name=MDKSA-2005:176
www.novell.com/linux/security/advisories/2005_24_sr.html
www.osvdb.org/19575
www.securityfocus.com/bid/14889
www.vupen.com/english/advisories/2005/1791
www.webmin.com/changes-1.230.html
www.webmin.com/uchanges-1.160.html