Usermin Null Byte Filtering Information Disclosure

medium Nessus Plugin ID 77705

Synopsis

The remote web server is affected by an information disclosure vulnerability.

Description

The version of Usermin installed on the remote host is affected by an information disclosure vulnerability due to the Perl script 'miniserv.pl' failing to properly filter null characters from URLs. An attacker could exploit this to reveal the source code of CGI scripts, obtain directory listings, or launch cross-site scripting attacks against the affected application.

Solution

Upgrade to Usermin 1.226 or later.

See Also

http://www.webmin.com/security.html

Plugin Details

Severity: Medium

ID: 77705

File Name: usermin_1226_info_disclosure.nasl

Version: 1.6

Type: remote

Family: CGI abuses

Published: 9/16/2014

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:webmin:usermin, cpe:/a:usermin:usermin

Required KB Items: www/usermin

Exploit Ease: No exploit is required

Exploited by Nessus: true

Patch Publication Date: 9/15/2006

Vulnerability Publication Date: 9/1/2006

Reference Information

CVE: CVE-2006-4542

BID: 19820

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990