Vulnerabilities for usermin 1.850 and prior.
Type: Authenticated code execution
A authenticated user can execute commands using the GPG module. This is useful if the shell module has been restricted for that user.
import.cgi line 24 executes unsanitized user input.
$out = `$gpgpath --import '$in{'file'}' 2>&1`;Usermin -> Tools -> File Manager -> File -> Create New File- Filename must be command to run:
'; id 'this is because there is a check inimport.cgiat line 19:-r $in{'file'} || &error($text{'import_efile'});to check if it is a valid file Usermin -> Applications -> GPG -> Manage Keys -> Import key (local file)- Select the created file with command and import
- Command is run as current user
- Almost all chars except
/\are valid
Type: XSS
JavaScript is not escaped properly in emails received
Receive email with the following html payload:
<iframe src=javascript:alert(document.location)>Vulnerabilities for webmin 1.995 and prior.
Type: XSS
JavaScript is not escaped properly in emails received
Receive email with the following html payload:
- Go to
Read user mail - Press on email with payload bellow
- Press
ViewHTML document
<iframe src=javascript:alert(document.location)>