Re: Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit

To: "Alexander Hristov" <joffer@xxxxxxxxx>
Subject: Re: Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit
From: "José Parrella" <joseparrella@xxxxxxxxx>
Date: Mon, 10 Jul 2006 18:02:44 -0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx, "Full Disclosure" <full-disclosure@xxxxxxxxxxxxxxxxx>
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kZQ8zjSJM8PSYEuF3HiCMg+qzMc5GhoVMsVgy/AYDevqufp4fX5JNhhqJZOngJvQ/GqzNcCub8A3w22w8RErH4s2+6UOBnJ6ZtRI2ImDzb/6XC2Mn5fYodGD4DmkAhzFIe7EiImSqkP7+KhHS3zdDAcmYki+XpTL+o+s2uK0IPk=
In-reply-to: <734063a30607090657r5eda708dm46c6ce47450eed35@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <734063a30607090657r5eda708dm46c6ce47450eed35@xxxxxxxxxxxxxx>

On 7/9/06, Alexander Hristov <joffer@xxxxxxxxx> wrote:

Name : Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit
Link : 
http://securitydot.net/xpl/exploits/vulnerabilities/articles/1152/exploit.html
Date :  2006-06-30
Patch : update to version 1.290
Advisory : 
http://securitydot.net/vuln/exploits/vulnerabilities/articles/17885/vuln.html


Has anyone tested this? I've just tested this in Webmin 1.180 (Debian
3.1, package revision number 3) and didn't work (I had to explicitly
allow the attacker IP to the miniserv.conf, which is not the default
configuration in Debian and, I think, in Webmin's original tar.gz)

Jose

Follow-Ups:
- Re: Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit
  - From: str0ke

References:
- Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit
  - From: Alexander Hristov

Prev by Date: VBZooM "sendmail.php" SQL Injection
Next by Date: Re: [Full-disclosure] ERNW Security Advisory 02/2006 - Buffer Overflow in sipXtapi (used in AOL Triton)
Previous by thread: Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit
Next by thread: Re: Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit
Index(es):
- Date
- Thread