Published:2005/09/20  Last Updated:2008/05/21

JVN#40940493
Webmin and Usermin authentication bypass vulnerability

Overview

Webmin and Usermin, web-based system management tools for UNIX, contain a vulnerability which may allow a remote attacker to bypass authentication when PAM authentication is used.

Products Affected

  • Webmin Version 1.200 - 1.220
  • Usermin Version 1.130 - 1.160

Description

Impact

A remote attacker could bypass Webmin and Usermin's authentication, and execute an arbitrary command with root privileges.

Solution

Vendor Status

Vendor Link
webmin Security Alerts

References

  1. LAC SNS Advisory No.83
    Webmin/Usermin PAM Authentication Bypass Vulnerability
  2. Japan Webmin Users Group
    http://jp.webmin.com/modules/news/article.php?storyid=8

JPCERT/CC Addendum

Credit

Keigo Yamazaki of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2005-3042
JVN iPedia JVNDB-2005-000537

Update History