Improper Access Control in File Manager module in webmin/webmin

Valid

Reported on

Feb 20th 2022


Description

In Webmin 1.984, any authenticated low privilege user who did not have access to the File Manager module could interact with a variety of file manager capabilities such as modifying file ownership (chown), viewing file properties, listing or deleting files and directories on the server. It is possible to change current file system ownership, such as /etc/shadow, to make it a world-readable file, exposing it susceptible to local privilege escalation vectors.

Proof of Concept

Affected endpoint:

1 POST http://{HOST}/extensions/file-manager/chown.cgi

2 POST http://{HOST}/extensions/file-manager/search.cgi

3 POST http://{HOST}/extensions/file-manager/tree.cgi

4 POST http://{HOST}/extensions/file-manager/list.cgi

5 POST http://{HOST}/xhr.cgi

6 POST http://{HOST}/extensions/file-manager/delete.cgi

7 POST http://{HOST}/extensions/file-manager/create_file.cgi

8 POST http://{HOST}/extensions/file-manager/rename.cgi

~

Impact

This vulnerability is capable of modifying the OS file system, listing or deleting files on the server and local privilege escalation vectors.

We are processing your report and will contact the webmin team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
We have contacted a member of the webmin team and are waiting to hear back 2 years ago
webmin validated this vulnerability 2 years ago
faisalfs10x has been awarded the disclosure bounty
The fix bounty is now up for grabs
webmin
2 years ago

Maintainer


This looks to be the same vulnerability as your other report?

Faisal Fs ⚔️
2 years ago

Researcher


Unfortunately, the previous patch doesn't work. I try to retest then discover new affected endpoints.

Faisal Fs ⚔️
2 years ago

Researcher


Update,

most of the endpoints are fixed in webmin v1.985 deb. However, there is only one endpoint affected, http://$HOST/xhr.cgi?type=file&action=stat&file=/etc/passwd&module=filemin

We have sent a fix follow up to the webmin team. We will try again in 7 days. 2 years ago
webmin
2 years ago

Maintainer


That XHR issue is fixed by https://github.com/authentic-theme/authentic-theme/commit/1c25cc9c37d011c62eb0de85d471ad353f6719b3

We have sent a second fix follow up to the webmin team. We will try again in 10 days. 2 years ago
webmin marked this as fixed in 1.990 with commit 39ea46 2 years ago
The fix bounty has been dropped
create_folder.cgi#L8-L28 has been validated
create_file.cgi#L8-L28 has been validated
rename.cgi#L6-L19 has been validated
delete.cgi#L4-L20 has been validated
to join this conversation