Debian DSA-1199-1 : webmin - multiple vulnerabilities

high Nessus Plugin ID 22908


The remote Debian host is missing a security-related update.


Several vulnerabilities have been identified in webmin, a web-based administration toolkit. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities :

- CVE-2005-3912 A format string vulnerability in could allow an attacker to cause a denial of service by crashing the application or exhausting system resources, and could potentially allow arbitrary code execution.

- CVE-2006-3392 Improper input sanitization in could allow an attacker to read arbitrary files on the webmin host by providing a specially crafted URL path to the miniserv http server.

- CVE-2006-4542 Improper handling of null characters in URLs in could allow an attacker to conduct cross-site scripting attacks, read CGI program source code, list local directories, and potentially execute arbitrary code.

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.


Upgrade the webmin (1.180-3sarge1) package.

For the stable distribution (sarge), these problems have been fixed in version 1.180-3sarge1.

Webmin is not included in unstable (sid) or testing (etch), so these problems are not present.

See Also

Plugin Details

Severity: High

ID: 22908

File Name: debian_DSA-1199.nasl

Version: 1.20

Type: local

Agent: unix

Published: 10/25/2006

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information


Risk Factor: Medium

Score: 4.9


Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:webmin, cpe:/o:debian:debian_linux:3.1

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/23/2006

Vulnerability Publication Date: 11/29/2005

Exploitable With


Core Impact

Reference Information

CVE: CVE-2005-3912, CVE-2006-3392, CVE-2006-4542

BID: 15629, 18744, 19820

DSA: 1199