|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Webmin: three vulnerabilities
Synthesis of the vulnerability
An authenticated attacker can use three vulnerabilities of Webmin, in order to execute Perl code, or to read a file with root privileges.
Impacted products: MBS, MES, Solaris, Webmin.
Creation date: 07/09/2012.
Identifiers: AISG-12-000, AISG-12-001, AISG-12-002, BID-55446, CVE-2012-2981, CVE-2012-2982, CVE-2012-2983, CVE-2012-4893, MDVSA-2014:062, VIGILANCE-VUL-11923, VU#788478.
Description of the vulnerability
Three vulnerabilities were announced in Webmin.
An authenticated attacker can use the "type" parameter of status/edit_mon.cgi and status/save_mon.cgi, in order to execute Perl code on the server. [severity:3/4; AISG-12-000, CVE-2012-2981]
An authenticated attacker can use a malicious filename for file/show.cgi, in order to execute a Perl command (VIGILANCE-VUL-11943). [severity:3/4; AISG-12-001, CVE-2012-2982, CVE-2012-4893]
An authenticated attacker can use file/edit_html.cgi, in order to read a file with root privileges. [severity:3/4; AISG-12-002, CVE-2012-2983]
An authenticated attacker can therefore use three vulnerabilities of Webmin, in order to execute Perl code, or to read a file with root privileges.
Complete Vigil@nce bulletin.... (free trial)
Computer vulnerabilities tracking service
Vigil@nce provides applications vulnerabilities bulletins. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.