Vulnerability: Multiple vulnerabilities in Webmin
– Disclosure of sensitive data;
– System compromise.
Affected products: Webmin 1.x
Affected versions: Webmin 1.580, possibly other versions.
Which can be exploited by malicious people to gain access to sensitive information or compromise a vulnerable system.
1. The vulnerability is caused due to input validation error in the name of the monitor type in the scenarios and edit_mon.cgi save_mon.cgi. A remote authenticated user can be exploited to inject and execute arbitrary Perl code on the system.
2. The vulnerability is caused due to insufficient processing path in the script show.cgi before calling the “open ()”. A remote authenticated user can inject and execute arbitrary commands on the system.
3. The vulnerability is caused due to insufficient input validation in the parameter “file” in the script edit_html.cgi. A remote authenticated user can view the contents of arbitrary files on the system.
Manufacturer URL: www.webmin.com
Solution: Install the update from GIT repository producer.
The fix for CVE-2012-2981
The fix for CVE-2012-2982
The fix for CVE-2012-2983