CVE-2012-2983 - Improper Authentication

Severity

50%

Complexity

99%

Confidentiality

48%

file/edit_html.cgi in Webmin 1.590 and earlier does not perform an authorization check before showing a file's unedited contents, which allows remote attackers to read arbitrary files via the file field.

file/edit_html.cgi in Webmin 1.590 and earlier does not perform an authorization check before showing a file's unedited contents, which allows remote attackers to read arbitrary files via the file field.

CVSS 2.0 Base Score 5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N).

Demo Examples

Improper Authentication

CWE-287

The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.


               
}

                     
}
ExitError("Error: you need to log in first");

                           

                              
);
);
DoAdministratorTasks();

Unfortunately, this code can be bypassed. The attacker can set the cookies independently so that the code does not check the username and password. The attacker could do this with an HTTP request containing headers such as:


               
[body of request]

By setting the loggedin cookie to "true", the attacker bypasses the entire authentication check. By using the "Administrator" value in the user cookie, the attacker also gains privileges to administer the software.

Improper Authentication

CWE-287

Overview

First reported 12 years ago

2012-09-11 18:55:00

Last updated 11 years ago

2013-05-30 03:16:00

Affected Software

Gentoo webmin 1.140.ebuild

1.140

Gentoo webmin 1.150.ebuild

1.150

Gentoo webmin 1.160.ebuild

1.160

Gentoo webmin 1.170

1.170

Gentoo webmin 1.180

1.180

Gentoo webmin 1.200

1.200

Gentoo webmin 1.210

1.210

Gentoo webmin 1.220

1.220

Gentoo webmin 1.230

1.230

Gentoo webmin 1.240

1.240

Gentoo webmin 1.260

1.260

Gentoo webmin 1.270

1.270

Gentoo webmin 1.280

1.280

Gentoo webmin 1.290

1.290

Gentoo webmin 1.300

1.300

Gentoo webmin 1.310

1.310

Gentoo webmin 1.320

1.320

Gentoo webmin 1.330

1.330

Gentoo webmin 1.340

1.340

Gentoo webmin 1.370

1.370

Gentoo webmin 1.380

1.380

Gentoo webmin 1.390

1.390

Gentoo webmin 1.400

1.400

Gentoo webmin 1.410

1.410

Gentoo webmin 1.420

1.420

Gentoo webmin 1.430

1.430

Gentoo webmin 1.440

1.440

Gentoo webmin 1.450

1.450

Gentoo webmin 1.470

1.470

Gentoo webmin 1.480

1.480

Gentoo webmin 1.500

1.500

Gentoo webmin 1.510

1.510

Gentoo webmin 1.520

1.520

Gentoo webmin 1.530

1.530

Gentoo webmin 1.550

1.550

Gentoo webmin 1.560

1.560

Gentoo webmin 1.570

1.570

Gentoo webmin 1.580

1.580

Gentoo webmin

References

http://americaninfosec.com/research/index.html

http://www.americaninfosec.com/research/dossiers/AISG-12-002.pdf

VU#788478

Patch, US Government Resource

1027507

http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf

https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.