Security Alerts

This page lists security problems found in Webmin and Usermin, versions affected and recommended solutions.

Yet another XSS (cross-site scripting) security hole
Affects Webmin versions up to 1.590.
A malicious website could create links or Javascript referencing the File Manager module that allowed execution of arbitrary commands via Webmin when the website is viewed by the victim. See CERT vulnerability note VU#788478 for more details. Thanks to Jared Allar from the American Information Security Group for reporting this problem.

Referer checks don't include port
Affects Webmin versions up to 1.590.
If an attacker has control over http://example.com/ , he could create a page with malicious Javascript that could take over a Webmin session at https://example.com:10000/ when http://example.com/ is viewed by the victim. Thanks to Marcin Teodorczyk for finding this issue.

Another XSS (cross-site scripting) security hole
Affects Webmin versions up to 1.540.
This vulnerability can be triggered if an attacker changes his Unix username via a tool like chfn, and a page listing usernames is then viewed by the root user in Webmin. Thanks to Javier Bassi for reporting this bug.

Unsafe file writes in Virtualmin
Affects Virtualmin versions before 3.70.
This bug allows a virtual server owner to read or write to arbitrary files on the system by creating malicious symbolic links and then having Virtualmin perform operations on those links. Upgrading to version 3.70 is strongly recommended if your system has un-trusted domain owners.

XSS (cross-site scripting) security hole
Affects Webmin versions up to 1.390, and Usermin up to 1.320.
This attack could open users who visit un-trusted websites while having Webmin open in the same browser up to having their session cookie captured, which could then allow an attacker to login to Webmin without a password. The quick fix is to go to the Webmin Configuration module, click on the Trusted Referers icon, set Referrer checking enabled? to Yes, and un-check the box Trust links from unknown referrers. Webmin 1.400 and Usermin 1.330 will make these settings the defaults.

Windows-only command execution bug
Affects Webmin on Windows only, versions before 1.380.
Any user logged into Webmin can execute any command using special URL parameters. This could be used by less-privileged Webmin users to raise their level of access.
Thanks for Keigo Yamazaki of Little eArth Corporation for finding this bug.

pam_login.cgi XSS bug
Affects Webmin versions below 1.347, and Usermin versions below 1.277, on any operating system.
A malicious link to Webmin's pam_login.cgi script can be used to execute Javascript within the Webmin server context, and perhaps steal session cookies.

chooser.cgi XSS bug
Affects Webmin versions below 1.330, and Usermin versions below 1.260, on any operating system.
When using Webmin or Usermin to browse files on a system that were created by an attacker, a specially crafted filename could be used to inject arbitrary Javascript into the browser.

Remote source code access and XSS bug
Affects Webmin versions below 1.296, and Usermin versions below 1.226, on any operating system.
An attacker can view the source code of Webmin CGI and Perl programs using a specially crafted URL. Because the source code for Webmin is freely available, this issue should only be of concern to sites that have custom modules for which they want the source to remain hidden.
The XSS bug makes use of a similar technique to craft a URL that can allow arbitrary Javascript to be executed in the user's browser if a malicious link is clicked on.
Thanks for Keigo Yamazaki of Little eArth Corporation for finding this bug.

Artbitrary remote file access
Affects Webmin versions below 1.290, and Usermin versions below 1.220, on any operating system.
An attacker without a login to Webmin can read the contents of any file on the server using a specially crafted URL. All users should upgrade to version 1.290 as soon as possible, or setup IP access control in Webmin.
Thanks to Kenny Chen for bringing this to my attention.

Windows artbitrary file access
Affects Webmin versions below 1.280, when running on a Windows server.
If running Webmin on Windows, an attacker can remotely view the contents of any file on your system using a specially crafted URL. This does not affect other operating systems, but if you use Webmin on Windows you should upgrade to version 1.280 or later.
Thanks to Keigo Yamazaki of Little eArth Corporation for discovering this bug.

Perl syslog input attack
Affects Webmin versions below 1.250 and Usermin versions below 1.180, with syslog logging enabled.
When logging of failing login attempts via syslog is enabled, an attacker can crash and possibly take over the Webmin webserver, due to un-checked input being passed to Perl's syslog function. Upgrading to the latest release of Webmin is recommended.
Thanks to Jack at Dyad Security for reporting this problem to me.

'Full PAM conversations' mode remote attack
Affects Webmin versions between 1.200 and 1.220 and Usermin version between 1.130 and 1.150, when the option Support full PAM conversations? is enabled on the Authentication page.
When this option is enabled in Webmin or Usermin, an attacker can gain remote access to Webmin without needing to supply a valid login or password. Fortunately this option is not enabled by default and is rarely used unless you have a PAM setup that requires more than just a username and password, but upgrading is advised anyway.
Thanks to Keigo Yamazaki of Little eArth Corporation and JPCERT/CC for discovering and notifying me of this bug.

Brute force password guessing attack
Affects Webmin versions below 1.175 and Usermin version below 1.104
All versions of Webmin below 1.175 do not have password timeouts turned on by default, so an attacker can try every possible password for the root or admin user until he finds the correct one.

The solution is to enable password timeouts, so that repeated attempts to login as the same user will become progressively slower. This can be done by following these steps :
  • Go to the Webmin Configuration module.
  • Click on the Authentication icon.
  • Select the Enable password timeouts button.
  • Click the Save button at the bottom of the page.
This problem is also present in Usermin, and can be prevented by following the same steps in the Usermin Configuration module.

Usermin cross-site scripting vulnerability
Affects Usermin versions below 1.080
When viewing HTML email, several potentially dangerous types of URLs can be passed through. This can be used to perform malicious actions like executing commands as the logged-in Usermin user. Can only be resolved by upgrading to Webmin 1.150 or Usermin 1.080.

Module configurations are visible
Affects Webmin versions below 1.150
Even if a Webmin user does not have access to a module, he can still view it's Module Config page by entering a URL that calls config.cgi with the module name as a parameter. This can only be resolved by upgrading to version 1.150 or later.

Account lockout attack
Affects Webmin versions below 1.150 and Usermin versions below 1.080
By sending a specially constructed password, an attacker can lock out other users if password timeouts are enabled. This can only be resolved by upgrading to Webmin 1.150 or Usermin 1.080.