Webmin, Usermin Need Updates

The French Security Incident Response Team (FrSIRT) has reported a pair of vulnerabilities in Webmin and Usermin that could be exploited by remote attackers. Webmin and Usermin web-based interfaces. Both are written in Perl 5 and employ CGI scripts deliver their functionality. The advisory described the two issues, as reported to FrSIRT by Keigo Yamazaki, Little eArth Corporation: The first issue is due to an error when handling malformed URLs, which could be exploited by attackers to cause malicious scripting code to be executed by the user's browser. The second flaw is due to an error when handling malformed URLs, which could be exploited by attackers to display the source code or arbitrary CGI and Perl scripts. The flaws pose a moderate risk to systems running vulnerable versions of Webmin, as they are remotely exploitable. Cross-site scripting would be the attack vector used, according to the information posted at Webmin developers have fixed both vulnerabilities in the development version of Webmin, 1.296, and Usermin, version 1.226. System administrators on Unix use Webmin to make configuration changes for services and manage accounts. Usermin provides an interface for regular users to read mail and do other user-level functions. Blogger Chris Dorner