Webmin Null Byte Filtering Information Disclosure

medium Nessus Plugin ID 22300

Synopsis

The remote web server is affected by an information disclosure vulnerability.

Description

The version of Webmin installed on the remote host is affected by an information disclosure vulnerability due to the Perl script 'miniserv.pl' failing to properly filter null characters from URLs. An attacker could exploit this to reveal the source code of CGI scripts, obtain directory listings, or launch cross-site scripting attacks against the affected application.

Solution

Upgrade to Webmin version 1.296 or later.

See Also

http://www.webmin.com/security.html

http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/89_e.html

Plugin Details

Severity: Medium

ID: 22300

File Name: webmin_1296.nasl

Version: 1.24

Type: remote

Family: CGI abuses

Published: 9/2/2006

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:webmin:webmin

Required KB Items: www/webmin

Exploit Ease: No exploit is required

Exploited by Nessus: true

Patch Publication Date: 9/15/2006

Vulnerability Publication Date: 9/1/2006

Reference Information

CVE: CVE-2006-4542

BID: 19820

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990