Webmin has vulnerabilities allowing user configuration access and potential account lockout for valid users.
Reporter | Title | Published | Views | Family All 21 |
---|---|---|---|---|
![]() | Webmin 1.140 Multiple Vulnerabilities | 22 Mar 201800:00 | – | nessus |
![]() | Mandrake Linux Security Advisory : webmin (MDKSA-2004:074) | 31 Jul 200400:00 | – | nessus |
![]() | Debian DSA-526-1 : webmin - several vulnerabilities | 29 Sep 200400:00 | – | nessus |
![]() | GLSA-200406-15 : Usermin: Multiple vulnerabilities | 30 Aug 200400:00 | – | nessus |
![]() | Debian Security Advisory DSA 526-1 (webmin) | 17 Jan 200800:00 | – | openvas |
![]() | Gentoo Security Advisory GLSA 200406-12 (webmin) | 24 Sep 200800:00 | – | openvas |
![]() | Gentoo Security Advisory GLSA 200406-12 (webmin) | 24 Sep 200800:00 | – | openvas |
![]() | Debian Security Advisory DSA 526-1 (webmin) | 17 Jan 200800:00 | – | openvas |
![]() | Gentoo Security Advisory GLSA 200406-15 (Usermin) | 24 Sep 200800:00 | – | openvas |
![]() | Gentoo Security Advisory GLSA 200406-15 (Usermin) | 24 Sep 200800:00 | – | openvas |
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 200406-12.
#
# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(14523);
script_version("1.17");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id("CVE-2004-0582", "CVE-2004-0583");
script_bugtraq_id(10474);
script_xref(name:"GLSA", value:"200406-12");
script_name(english:"GLSA-200406-12 : Webmin: Multiple vulnerabilities");
script_summary(english:"Checks for updated package(s) in /var/db/pkg");
script_set_attribute(
attribute:"synopsis",
value:
"The remote Gentoo host is missing one or more security-related
patches."
);
script_set_attribute(
attribute:"description",
value:
"The remote host is affected by the vulnerability described in GLSA-200406-12
(Webmin: Multiple vulnerabilities)
Webmin contains two security vulnerabilities. One allows any user to
view the configuration of any module and the other could allow an
attacker to lock out a valid user by sending an invalid username and
password.
Impact :
An authenticated user could use these vulnerabilities to view the
configuration of any module thus potentially obtaining important
knowledge about configuration settings. Furthermore, an attacker could
lock out legitimate users by sending invalid login information.
Workaround :
There is no known workaround at this time."
);
script_set_attribute(
attribute:"see_also",
value:"http://www.webmin.com/changes-1.150.html"
);
script_set_attribute(
attribute:"see_also",
value:"https://security.gentoo.org/glsa/200406-12"
);
script_set_attribute(
attribute:"solution",
value:
"All Webmin users should upgrade to the latest stable version:
# emerge sync
# emerge -pv '>=app-admin/app-admin/webmin-1.150'
# emerge '>=app-admin/app-admin/webmin-1.150'"
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:webmin");
script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
script_set_attribute(attribute:"patch_publication_date", value:"2004/06/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/30");
script_set_attribute(attribute:"vuln_publication_date", value:"2004/06/03");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.");
script_family(english:"Gentoo Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (qpkg_check(package:"app-admin/webmin", unaffected:make_list("ge 1.150"), vulnerable:make_list("le 1.140-r1"))) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
else security_warning(0);
exit(0);
}
else
{
tested = qpkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Webmin");
}
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo