September 2005
Webmin - Remote Attack Vulnerability in Webmin and Usermin
ID: 00836
Ref: 779/05
Date: 26 September 2005:16:38:10
Version: 1
Title: Webmin - Remote Attack Vulnerability in Webmin and Usermin
Abstract: The Webmin website has issued a security alert relating to a remote attack vulnerability in Webmin and Usermin.
Vendors affected: Webmin
Operating systems affected: Webmin
Applications affected: Webmin
Title
=====
Webmin - Remote Attack Vulnerability in Webmin and Usermin
Detail
======
The Webmin website has issued a security alert relating to a remote attack
vulnerability in Webmin and Usermin.
The following is the relevant extract from the Webmin security alerts page:
" 'Full PAM conversations' mode remote attack
Effects Webmin versions below 1.230 and Usermin version below 1.160, when the option
Support full PAM conversations? is enabled on the Authentication page.
When this option is enabled in Webmin or Usermin, an attacker can gain remote access
to Webmin without needing to supply a valid login or password. Fortunately this option
is not enabled by default and is rarely used unless you have a PAM setup that requires
more than just a username and password, but upgrading is advised anyway. "
The Webmin security alert page can be viewed at the following URL:
http://www.webmin.com/security.html
Webmin 1.230 can be downloaded at the following URL:
http://www.webmin.com/download.html
Usermin 1.160 can be downloaded at the following URL:
http://www.webmin.com/udownload.html