Published:2007/10/03  Last Updated:2008/05/21

Webmin OS command injection vulnerability


Webmin, a web-based system management tool, contains a vulnerability that allows an unauthorized Webmin user to execute OS commands.

Products Affected

Webmin 1.360 for Windows and earlier


Webmin is a web-based system management tool. Webmin for Windows contains a vulnerability that allows an unauthorized Webmin user to execute OS commands by entering a specially crafted URL.


An attacker could execute arbitrary OS commands with Local System privileges on a computer where Webmin is installed.


Update the Software
Webmin 1.370, in which the vulnerability is fixed, has been released by the Webmin project.

Vendor Status

Vendor Link
Webmin Security Alerts
Change Log


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2007.10.03

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication Standard - login caused to be created by an administrator
  • Low-Medium
User Interaction Required None - the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity Medium-High - expertise and/or luck required (guessing correctly in medium-sized space, kernel expertise)
  • Medium

Description of each analysis measures


Keigo Yamazaki of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2007-5066
JVN iPedia JVNDB-2007-000730

Update History