COMMAND

	Webmin/Usermin Session ID Spoofing Vulnerability

SYSTEMS AFFECTED

	  Webmin Version: 0.960

	  Usermin Version: 0.90

	

PROBLEM

	Keigo Yamazaki of LAC Co.,Ltd [http://www.lac.co.jp/] found :
	

	Webmin is a web-based system administration tool for Unix. Usermin is  a
	web interface that allows all users on a Unix system to  easily  receive
	mails and to perform SSH and mail forwarding configuration.
	  

	Internal communication between the parent process and the child  process
	using named pipes occur in these software packages  during  creation  or
	verification of a session ID, or during the setting process of  password
	timeouts. Because the control characters contained in  the  data  passed
	as authentication information are not  eliminated,  it  is  possible  to
	make Webmin and Usermin to acknowledge the combination of any  user  and
	session ID specified by an attacker. If  the  attacker  could  log  into
	Webmin by using this problem, there  is  a  possibility  that  arbitrary
	commands may be executed with root privileges.
	

	  [Preconditions for a successful exploit]

	

	In the case of Webmin :
	

	  * Webmin->Configuration->Authentication

	    \"Enable password timeouts\" is enabled

	  * if a valid Webmin username is known

	    by default, user \"admin\" exists and this user can use all the 

	    functions, including command shell

	

	In the case of Usermin:
	 

	  * if password timeout is enabled

	  * if a valid Usermin username is known

	

SOLUTION

	This problem can be eliminated by upgrading  to  Webmin  version  0.970/
	Usermin version 0.910, which are available at:
	

	http://www.webmin.com/