Debian Bug report logs - #391284
CVE-2006-4542: Webmin / Usermin Cross-Site Scripting and Source Code Disclosure

version graph

Package: webmin; Maintainer for webmin is (unknown);

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Thu, 5 Oct 2006 21:03:03 UTC

Severity: grave

Tags: security

Fixed in version 1.230-1+rm

Done: Marco Rodrigues <gothicx@sapo.pt>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Webmin maintainers <webmin-maintainers@lists.alioth.debian.org>:
Bug#391284; Package webmin. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Webmin maintainers <webmin-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2006-4542: Webmin / Usermin Cross-Site Scripting and Source Code Disclosure
Date: Thu, 05 Oct 2006 21:51:08 +0200
Package: webmin
Severity: grave
Tags: security
Justification: user security hole



Webmin in sarge is probably vulnerable to CVE-2006-4542:

Webmin before 1.296 and Usermin before 1.226 do not properly handle a
URL with a null ("%00") character, which allows remote attackers to
conduct cross-site scripting (XSS), read CGI program source code, list
directories, and possibly execute programs.



Reply sent to Marco Rodrigues <gothicx@sapo.pt>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 391284-done@bugs.debian.org (full text, mbox):

From: Marco Rodrigues <gothicx@sapo.pt>
To: 391284-done@bugs.debian.org
Subject: webmin has been removed from Debian, closing #391284
Date: Fri, 23 May 2008 17:51:02 +0100
Version: 1.230-1+rm

The webmin package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.

For more information about this package's removal, read
http://bugs.debian.org/343897 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

--
Marco Rodrigues
http://Marco.Tondela.org




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 11 Aug 2008 10:33:00 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:24:45 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.