CERTA-2006-AVI-254

Vulnerability from certfr_avis - Published: 2006-06-23 - Updated: 2006-06-23

Une vulnérabilité dans Webmin permet à un utilisateur distant mal intentionné de porter atteinte à la confidentialité des données du système vulnérabble.

Description

Une erreur dans la gestion des caractères \ dans l'URL de Webmin permet à un utilisateur distant mal intentionné d'accéder à des fichiers arbitraires sur le système Windows mettant en œuvre le Webmin vulnérable par le biais d'une URL construite de façon particulière.

Solution

La version 1.280 de Webmin corrige le problème :

http://www.webmin.com/download.html

Webmin versions 1.270 et antérieures sur plate-forme Windows.

Impacted products
Vendor Product Description
References

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003eWebmin versions 1.270 et ant\u00e9rieures  sur plate-forme Windows.\u003c/p\u003e",
  "content": "## Description\n\nUne erreur dans la gestion des caract\u00e8res `\\` dans l\u0027URL de Webmin\npermet \u00e0 un utilisateur distant mal intentionn\u00e9 d\u0027acc\u00e9der \u00e0 des fichiers\narbitraires sur le syst\u00e8me Windows mettant en \u0153uvre le Webmin vuln\u00e9rable\npar le biais d\u0027une URL construite de fa\u00e7on particuli\u00e8re.\n\n## Solution\n\nLa version 1.280 de Webmin corrige le probl\u00e8me :\n\n    http://www.webmin.com/download.html\n",
  "cves": [],
  "initial_release_date": "2006-06-23T00:00:00",
  "last_revision_date": "2006-06-23T00:00:00",
  "links": [
    {
      "title": "Alerte de s\u00e9curit\u00e9 de Webmin du 16 juin 2006 :",
      "url": "http://www.webmin.com/security.html"
    },
    {
      "title": "Site de Webmin :",
      "url": "http://www.webmin.com"
    }
  ],
  "reference": "CERTA-2006-AVI-254",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2006-06-23T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 dans Webmin permet \u00e0 un utilisateur distant mal\nintentionn\u00e9 de porter atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es du\nsyst\u00e8me vuln\u00e9rabble.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Webmin",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Alerte de s\u00e9curit\u00e9 Webmin du 16 juin 2006",
      "url": null
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.