| Vulnerability Name: | CVE-2003-0101 (CCN-11390) | ||||||||
| Assigned: | 2003-02-22 | ||||||||
| Published: | 2003-02-22 | ||||||||
| Updated: | 2016-10-18 | ||||||||
| Summary: | miniserv.pl in (1) Webmin before 1.070 and (2) Usermin before 1.000 does not properly handle metacharacters such as line feeds and carriage returns (CRLF) in Base-64 encoded strings during Basic authentication, which allows remote attackers to spoof a session ID and gain root privileges. | ||||||||
| CVSS v3 Severity: | 10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
| ||||||||
| CVSS v2 Severity: | 10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
| ||||||||
| Vulnerability Type: | CWE-Other | ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: CCN Type: SCO Security Advisory CSSA-2003-035.0 OpenLinux: Webmin/Usermin Session ID Spoofing Vulnerability Source: CCN Type: SGI Security Advisory 20030602-01-I WebSetup / WebMin Security Vulnerability Source: SGI Type: UNKNOWN 20030602-01-I Source: CCN Type: BugTraq Mailing List, Mon Feb 24 2003 - 06:45:43 CST Webmin 1.050 - 1.060 remote exploit Source: CCN Type: Hewlett-Packard Company Security Bulletin HPSBUX0303-250 SSRT3523 Sec. Vulnerability in Webmin/Usermin Source: HP Type: UNKNOWN HPSBUX0303-250 Source: ENGARDE Type: UNKNOWN ESA-20030225-006 Source: MITRE Type: CNA CVE-2003-0101 Source: BUGTRAQ Type: UNKNOWN 20030224 Webmin 1.050 - 1.060 remote exploit Source: BUGTRAQ Type: UNKNOWN 20030224 [SNS Advisory No.62] Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2" Source: BUGTRAQ Type: UNKNOWN 20030224 GLSA: usermin (200302-14) Source: CONFIRM Type: UNKNOWN http://marc.info/?l=webmin-announce&m=104587858408101&w=2 Source: CCN Type: Webmin-Announce Mailing List, 2003-02-22 1:39:16 Webmin version 1.070 released - fixes security hole Source: CCN Type: SA8115 Webmin Authentication Bypass Vulnerability Source: SECUNIA Type: UNKNOWN 8115 Source: SECUNIA Type: UNKNOWN 8163 Source: CCN Type: SECTRACK ID: 1006160 Webmin Input Validation Flaw in `miniserv.pl` May Let Remote Users Spoof Session IDs and Gain Root Access Source: CCN Type: CIAC Information Bulletin N-058 Vulnerabilities in Webmin/Usermin [REVISED 7 July 2004] Source: CIAC Type: UNKNOWN N-058 Source: CCN Type: CIAC Information Bulletin N-106 SGI Websetup/Webmin Security Vulnerability Source: DEBIAN Type: UNKNOWN DSA-319 Source: DEBIAN Type: DSA-319 webmin -- session ID spoofing Source: XF Type: Vendor Advisory webmin-usermin-root-access(11390) Source: CCN Type: SNS Advisory No.62 Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2" Source: MISC Type: UNKNOWN http://www.lac.co.jp/security/english/snsadv_e/62_e.html Source: CONFIRM Type: UNKNOWN http://www.linuxsecurity.com/advisories/gentoo_advisory-2886.html Source: CCN Type: Gentoo Linux Security Announcement 200302-14 webmin -- unauthorized access Source: CCN Type: EnGarde Secure Linux Security Advisory ESA-20030225-0 WebTool session ID spoofing vulnerability. Source: MANDRAKE Type: UNKNOWN MDKSA-2003:025 Source: CCN Type: OSVDB ID: 10803 Webmin/Usermin miniserv.pl Base-64 String Metacharacter Handling Session Spoofing Source: BID Type: UNKNOWN 6915 Source: CCN Type: BID-6915 Webmin/Usermin Session ID Spoofing Unauthenticated Access Vulnerability Source: SECTRACK Type: UNKNOWN 1006160 Source: CCN Type: Webmin Web site Updates to Webmin Source: XF Type: UNKNOWN webmin-usermin-root-access(11390) | ||||||||
| Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||
| Oval Definitions | |||||||||
| |||||||||
| BACK | |||||||||