| Vulnerability Name: | CVE-2006-3392 (CCN-33058) | ||||||||
| Assigned: | 2006-06-30 | ||||||||
| Published: | 2006-06-30 | ||||||||
| Updated: | 2018-10-18 | ||||||||
| Summary: | Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using "..%01" sequences, which bypass the removal of "../" sequences before bytes such as "%01" are removed from the filename. Note: This is a different issue than CVE-2006-3274. | ||||||||
| CVSS v3 Severity: | 7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
| ||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N) 4.1 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C)
6.4 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N/E:F/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-Other | ||||||||
| Vulnerability Consequences: | Obtain Information | ||||||||
| References: | Source: CCN Type: BugTraq Mailing List, Sun Jul 09 2006 - 08:57:35 CDT Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit Source: CCN Type: BugTraq Mailing List, Sat Jul 15 2006 - 01:16:17 CDT Webmin / Usermin Arbitrary File Disclosure Vulnerability Perl Source: VIM Type: UNKNOWN 20060711 Re: Webmin traversal - changelog Source: VIM Type: UNKNOWN 20060630 Webmin traversal - changelog Source: MITRE Type: CNA CVE-2006-3392 Source: CCN Type: SA20892 Webmin / Usermin Arbitrary File Disclosure Vulnerability Source: SECUNIA Type: Patch, Vendor Advisory 20892 Source: SECUNIA Type: Vendor Advisory 21105 Source: SECUNIA Type: Patch, Vendor Advisory 21365 Source: SECUNIA Type: Vendor Advisory 22556 Source: GENTOO Type: UNKNOWN GLSA-200608-11 Source: DEBIAN Type: UNKNOWN DSA-1199 Source: DEBIAN Type: DSA-1199 webmin -- multiple vulnerabilities Source: CCN Type: GLSA-200608-11 Webmin, Usermin: File Disclosure Source: CCN Type: US-CERT VU#999601 Webmin and Usermin fail to sanitize user input Source: CERT-VN Type: US Government Resource VU#999601 Source: MANDRIVA Type: UNKNOWN MDKSA-2006:125 Source: OSVDB Type: Patch 26772 Source: CCN Type: OSVDB ID: 26772 Webmin/Usermin simplify_path() Failure Arbitrary File Disclosure Source: BUGTRAQ Type: UNKNOWN 20060709 Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit Source: BUGTRAQ Type: UNKNOWN 20060710 Re: Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit Source: BUGTRAQ Type: UNKNOWN 20060715 Re: Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit Source: BUGTRAQ Type: UNKNOWN 20060715 Webmin / Usermin Arbitrary File Disclosure Vulnerability Perl Source: BID Type: UNKNOWN 18744 Source: CCN Type: BID-18744 Webmin/Usermin Unspecifed Information Disclosure Vulnerability Source: VUPEN Type: Vendor Advisory ADV-2006-2612 Source: CCN Type: Webmin Change Log Change Log Source: CONFIRM Type: UNKNOWN http://www.webmin.com/changes.html Source: CCN Type: Usermin Change Log Change Log Source: XF Type: UNKNOWN webmin-simplifypath-directory-traversal(33058) Source: CCN Type: NMAP Web site File http-vuln-cve2006-3392 | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| Oval Definitions | |||||||||
| |||||||||
| BACK | |||||||||