Webmin unspecified URL command execution
| webmin-url-command-execution (36759) |  High Risk |
Description:
Webmin could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by an error that occurs in the URL validation process. By sending a specially-crafted URL request, a remote attacker could exploit this vulnerability to execute arbitrary commands with elevated privileges.
Platforms Affected:
- Webmin, Webmin prior to 1.370
Remedy:
Upgrade to the latest version of Webmin (1.370 or later), available from the Webmin Web site: Security Alerts. See References.
Consequences:
Gain Privileges
References:
- Webmin Web site: Security Alerts, Windows-only command execution bug at http://www.webmin.com/security.html.
- BID-25773: Webmin Unspecified Command Execution Vulnerability
- CVE-2007-5066: Unspecified vulnerability in Webmin before 1.370 on Windows allows remote authenticated users to execute arbitrary commands via a crafted URL.
- FrSIRT/ADV-2007-3243: Webmin Unspecified Parameter Processing Command Execution Vulnerability
- FrSIRT/ADV-2007-3264: IBM Rational ClearQuest Unspecified Data Corruption Vulnerability
- SA26885: Webmin Unspecified Command Execution Vulnerability
- SA26899: IBM Rational ClearQuest Unspecified Data Corruption
- SECTRACK ID: 1018731: Webmin URL Parameter Validation Flaw Lets Remote Users Execute Arbitrary Commands
Reported:
Sep 24, 2007
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net