New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RCE and privesc on safe user #1635
Comments
|
Thanks, this does look like an issue that can be exploited if the admin has created a less-privileged user manually without using Virtualmin or Cloudmin. @iliajie this seems to be an Authentic theme-specific bug. The problem is that the code in Also, the code in |
|
Thank you |
|
We requested a CVE for this vulnerability this is the reference, 1267786. |
|
Thanks for the CVE! |
|
Is this the form that the CVE reference should be entered into?: |
|
Those any one have an idea, how this can be use to customize a nuclei template for recon?? |
|
|
Ok noted. Please enlighten me what would be the http method and the path?? |
|
The python proof of concept code has full details on the http method and path. |
|
You can use this one to find webmin admin login pages, but to really find a vulnerable version, you'd have to do more. |
|
Thank you so much @chris001. |
Jamie, this is true, and design wise we must always treat any user input as un-safe. Although, it was assumed that a file name coming from @esp0xdeadbeef Thank you for finding this bug! For the future findings (if any), it would be preferable, if you could first contact us privately, using |
|
We are releasing a new version of Webmin now that includes a fix for this issue. @esp0xdeadbeef how would you like to be credited for this fix? |
|
Sure, I will give you both credit for the find! |
We were RCE hunting on live stream, sorry for the poc.
https://github.com/esp0xdeadbeef/rce_webmin
https://www.twitch.tv/videos/1483029790
Please patch.
The text was updated successfully, but these errors were encountered: