• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Webmin Script Code Input Validation Vulnerability

Severity: MODERATE

Description:

Webmin is a web-based interface for system administration of Unix and Linux operating systems.

Webmin does not filter HTML tags from output that may be displayed by the web interface, such as log files, etc. This may enable a local attacker, with write privileges to such files, to cause arbitrary script code to be executed by the root user. Additionally, an attacker who can contrive a way to inject malicious script code into other types of output displayed by the Webmin interface may also exploit this issue.

This is the equivalent of a cross-site scripting vulnerability, initiated by a local attacker against the root user, for the sake of hijacking the root user's Webmin session.

This may enable the attacker to steal cookie-based authentication credentials from the root user, eventually resulting in an escalation of privileges for the local attacker.

Affected Products:

• Webmin Webmin 0.1.0
• Webmin Webmin 0.2.0
• Webmin Webmin 0.21.0
• Webmin Webmin 0.22.0
• Webmin Webmin 0.3.0
• Webmin Webmin 0.31.0
• Webmin Webmin 0.4.0
• Webmin Webmin 0.41.0
• Webmin Webmin 0.42.0
• Webmin Webmin 0.5.0
• Webmin Webmin 0.51.0
• Webmin Webmin 0.6.0
• Webmin Webmin 0.7.0
• Webmin Webmin 0.76.0
• Webmin Webmin 0.77.0
• Webmin Webmin 0.78.0
• Webmin Webmin 0.79.0
• Webmin Webmin 0.8.3
• Webmin Webmin 0.8.4
• Webmin Webmin 0.80.0
• Webmin Webmin 0.85.0
• Webmin Webmin 0.88.0
• Webmin Webmin 0.91.0
• Webmin Webmin 0.92.0
• Webmin Webmin 0.92.0-1

References:

• Webmin: Webmin Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.