lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110521102507.GO32435@foo.fgeek.fi>
Date: Sat, 21 May 2011 13:25:07 +0300
From: Henri Salo <henri@...v.fi>
To: Jamie Cameron <jcameron@...min.com>
Cc: full-disclosure@...ts.grok.org.uk, webadmin-devel@...ts.sourceforge.net
Subject: Re: [webmin-devel] XSS in Webmin 1.540 + exploit
 for privilege escalation

On Sat, Apr 23, 2011 at 06:11:12PM -0700, Jamie Cameron wrote:
> Hi Javier,
> 
> Thanks for reporting this - I hadn't considered this attack
> vector, as I didn't realize that chfn could be used to modify a user's
> real name.
> 
> I have created a fix which you can see at :
> 
> https://github.com/webmin/webmin/commit/46e3d3ad195dcdc1af1795c96b6e0dc778fb6881
> 
> Also an update for the Users and Groups module can be found at 
> http://www.webmin.com/updates.html , and will be available from within
> the Webmin UI.
> 
>  - Jamie

In what Webmin-release this will be fixed? Do you have CVE-identifier for this yet?

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ