Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.USERMIN_1226_INFO_DISCLOSURE.NASL
HistorySep 16, 2014 - 12:00 a.m.

Usermin Null Byte Filtering Information Disclosure

2014-09-1600:00:00
This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
29
JSON

The version of Usermin installed on the remote host is affected by an information disclosure vulnerability due to the Perl script ‘miniserv.pl’ failing to properly filter null characters from URLs. An attacker could exploit this to reveal the source code of CGI scripts, obtain directory listings, or launch cross-site scripting attacks against the affected application.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(77705);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2006-4542");
  script_bugtraq_id(19820);

  script_name(english:"Usermin Null Byte Filtering Information Disclosure");
  script_summary(english:"Checks if nulls in a URL are filtered by miniserv.pl.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by an information disclosure
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Usermin installed on the remote host is affected by an
information disclosure vulnerability due to the Perl script
'miniserv.pl' failing to properly filter null characters from URLs. An
attacker could exploit this to reveal the source code of CGI scripts,
obtain directory listings, or launch cross-site scripting attacks
against the affected application.");
  script_set_attribute(attribute:"see_also", value:"http://www.webmin.com/security.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Usermin 1.226 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2006/09/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/16");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:webmin:usermin");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:usermin:usermin");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("usermin_detect.nbin");
  script_require_keys("www/usermin");
  script_require_ports("Services/www", 20000);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

app = "Usermin";
port = get_http_port(default:20000, embedded: TRUE);

get_kb_item_or_exit('www/'+port+'/usermin');

dir = '/';
install_url = build_url(port:port, qs:dir);
# Some files don't require authentication; eg, those matching the
# pattern '^[A-Za-z0-9\\-/]+\\.gif'. So request a bogus gif file; if
# nulls are filtered, we'll get an error saying "Error - File not
# found"; otherwise, we'll get a login form because the null will
# cause the regex to fail.

# First send a request to the fake image and ensure we don't get a
# login page.  Prevents FP with earlier releases which don't respond
# to this attack method
filename = rand_str();

res = http_send_recv3(
  method : "GET",
  item   : dir + filename + ".gif",
  port   : port,
  fetch404 : TRUE,
  exit_on_fail : TRUE
);

if ("<form action=/session_login.cgi " >!< res[2])
{
  attack = filename + "%00.gif";
  res = http_send_recv3(
    method : "GET",
    item   : dir + attack,
    port   : port,
    exit_on_fail : TRUE
  );
  # There's a problem if we see a login form.
  if ("<form action=/session_login.cgi " >< res[2])
  {
     set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
     if (report_verbosity > 0)
     {
       report =
         '\n' + 'Nessus was able to verify this issue with the following URL :' +
         '\n' + 
         '\n' + install_url + attack + 
         '\n';
       security_warning(port:port, extra:report);
     }
     else security_warning(port);
     exit(0);
  }
}
audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);
VendorProductVersionCPE
webminusermincpe:/a:webmin:usermin
userminusermincpe:/a:usermin:usermin

Related

cve 1
nessus 3
ubuntucve 1
openvas 2
debian 2
osv 1
cve
cve
CVE-2006-4542
2006-09-05 23:04:00
nessus
nessus
Webmin Null Byte Filtering Information Disclosure
2006-09-02 00:00:00
Mandrake Linux Security Advisory : webmin (MDKSA-2006:170-1)
2007-02-18 00:00:00
Debian DSA-1199-1 : webmin - multiple vulnerabilities
2006-10-25 00:00:00
ubuntucve
ubuntucve
CVE-2006-4542
2006-09-05 00:00:00
openvas
openvas
Debian Security Advisory DSA 1199-1 (webmin)
2008-01-17 00:00:00
Debian: Security Advisory (DSA-1199-1)
2008-01-17 00:00:00
debian
debian
[SECURITY] [DSA 1199-1] New webmin packages fix input validation problems
2006-10-24 01:10:44
[SECURITY] [DSA 1199-1] New webmin packages fix input validation problems
2006-10-24 01:10:44
osv
osv
webmin
2006-10-23 00:00:00
JSON
Related for USERMIN_1226_INFO_DISCLOSURE.NASL
cve1nessus3ubuntucve1openvas2debian2osv1