Webmin 1.670 Cross Site Scripting

2014-03-15T00:00:00
ID PACKETSTORM:125739
Type packetstorm
Reporter William Costa
Modified 2014-03-15T00:00:00

Description

                                        
                                            `I. VULNERABILITY  
  
-------------------------  
  
Reflected XSS Attacks XSS vulnerabilities in Webmin 1.670  
  
II. BACKGROUND  
  
-------------------------  
  
Webmin is a web-based interface for system administration for Unix.  
Using any modern web browser, you can setup user accounts, Apache,  
DNS, file sharing and much more. Webmin removes the need to manually  
edit Unix configuration files like /etc/passwd, and lets you manage a  
system from the console or remotely. See the standard modules page for  
a list of all the functions built into Webmin, or check out the  
screenshots.  
  
  
  
  
III. DESCRIPTION  
  
-------------------------  
  
Has been detected a Reflected XSS vulnerability in Webmin 1.670 in  
page of log, that allows the execution of arbitrary HTML/script code  
to be executed in the context of the victim user's browser.  
The code injection is done through the parameter "search" in page  
https://IP:10000/webminlog/view.cgi?id=1&search=  
  
  
  
IV. PROOF OF CONCEPT  
  
-------------------------  
  
https://192.168.49.132:10000/webminlog/view.cgi?id=1&search=e"><script>alert(document.cookie);</script>  
  
  
  
V. BUSINESS IMPACT  
  
-------------------------  
  
An attacker can execute arbitrary HTML or script code in a targeted  
  
user's browser, this can leverage to steal sensitive information as  
user credentials, personal data, etc.  
  
  
  
  
  
VI. SYSTEMS AFFECTED  
  
-------------------------  
  
  
  
Webmin version 1.670 install in Debian  
  
  
  
  
  
VII. SOLUTION  
  
-------------------------  
  
All data received by the application and can be modified by the user,  
  
before making any kind of transaction with them must be validated.  
  
VIII. References  
-------------------------  
http://www.kb.cert.org/vuls/id/381692  
http://www.webmin.com/changes.html  
`