Published:2007/10/03  Last Updated:2008/05/21

JVN#61208749
Webmin OS command injection vulnerability

Overview

Webmin, a web-based system management tool, contains a vulnerability that allows an unauthorized Webmin user to execute OS commands.

Products Affected

Webmin 1.360 for Windows and earlier

Description

Webmin is a web-based system management tool. Webmin for Windows contains a vulnerability that allows an unauthorized Webmin user to execute OS commands by entering a specially crafted URL.

Impact

An attacker could execute arbitrary OS commands with Local System privileges on a computer where Webmin is installed.

Solution

Update the Software
Webmin 1.370, in which the vulnerability is fixed, has been released by the Webmin project.

Vendor Status

Vendor Link
Webmin Security Alerts
Change Log

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2007.10.03

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication Standard - login caused to be created by an administrator
  • Low-Medium
User Interaction Required None - the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity Medium-High - expertise and/or luck required (guessing correctly in medium-sized space, kernel expertise)
  • Medium

Description of each analysis measures

Credit

Keigo Yamazaki of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2007-5066
JVN iPedia JVNDB-2007-000730

Update History