Vulnerability: Multiple vulnerabilities in Webmin
Impact:
– Disclosure of sensitive data;
– System compromise.
Danger: middle
CVE ID:
– CVE-2012-2981;
– CVE-2012-2982;
– CVE-2012-2983.
Affected products: Webmin 1.x
Affected versions: Webmin 1.580, possibly other versions.
Description:
Which can be exploited by malicious people to gain access to sensitive information or compromise a vulnerable system.
1. The vulnerability is caused due to input validation error in the name of the monitor type in the scenarios and edit_mon.cgi save_mon.cgi. A remote authenticated user can be exploited to inject and execute arbitrary Perl code on the system.
2. The vulnerability is caused due to insufficient processing path in the script show.cgi before calling the “open ()”. A remote authenticated user can inject and execute arbitrary commands on the system.
3. The vulnerability is caused due to insufficient input validation in the parameter “file” in the script edit_html.cgi. A remote authenticated user can view the contents of arbitrary files on the system.
Manufacturer URL: www.webmin.com
Solution: Install the update from GIT repository producer.
The fix for CVE-2012-2981
https://github.com/webmin/webmin/commit/ed7365064c189b8f136a9f952062249167d1bd9e
The fix for CVE-2012-2982
https://github.com/webmin/webmin/commit/1f1411fe7404ec3ac03e803cfa7e01515e71a213
The fix for CVE-2012-2983
https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80
Links: