webmin -- insecure temporary file creation at installation time

ID AE7B7F65-05C7-11D9-B45D-000C41E2CDAD
Type freebsd
Reporter FreeBSD
Modified 2004-09-15T00:00:00


The Webmin developers documented a security issue in the release notes for version 1.160:

Fixed a security hole in the maketemp.pl script, used to create the /tmp/.webmin directory at install time. If an un-trusted user creates this directory before Webmin is installed, he could create in it a symbolic link pointing to a critical file on the system, which would be overwritten when Webmin writes to the link filename.