Webmin/Usermin Session ID Spoofing Unauthenticated Access Vulnerability

Webmin/Usermin Session ID Spoofing Unauthenticated Access Vulnerability

Solution:
It is recommended that all Gentoo Linux users who are running
app-admin/webmin upgrade to webmin-1.070 as follows:

emerge sync
emerge -u webmin
emerge clean

Gentoo Linux have recommended users who are running app-admin/usermin upgrade to usermin-1.000 as follows:

emerge sync
emerge -u usermin
emerge clean

EnGarde Secure Linux has released an advisory and fixes for the Digitial Guardian Webtool. Users are advise to upgrade as soon as possible.

HP has made fixes for available. See referenced advisory HPSBUX0303-250 for additional details.

SGI IRIX 6.5.x releases include the websetup package, which includes vulnerable versions of Webmin. websetup versions prior to 3.5 are prone to this issue. An updated version of websetup is available with the IRIX 6.5.20 Applications CD. Users are advised to upgrade to IRIX 6.5.20 or download a patched version of websetup from SGI.

Debian has released a security advisory (DSA 319-1) containing fixes to address this issue. Further information on how to obtain and apply fixes can be found in the attached advisory.

SCO has released an advisory (CSSA-2003-035.0) for OpenLinux that includes updates to address this issue.

The vendor has released updates which address this issue:

Webmin Usermin 0.4

Webmin usermin-1.000.tar.gz
http://www.webmin.com/udownload.html

Webmin Usermin 0.5

Webmin usermin-1.000.tar.gz
http://www.webmin.com/udownload.html

Webmin Usermin 0.6

Webmin usermin-1.000.tar.gz
http://www.webmin.com/udownload.html

Webmin Usermin 0.7

Webmin usermin-1.000.tar.gz
http://www.webmin.com/udownload.html

Webmin Usermin 0.8

Webmin usermin-1.000.tar.gz
http://www.webmin.com/udownload.html

Webmin Usermin 0.9

Webmin usermin-1.000.tar.gz
http://www.webmin.com/udownload.html

Webmin Usermin 0.91

Webmin usermin-1.000.tar.gz
http://www.webmin.com/udownload.html

Webmin Usermin 0.92

Webmin usermin-1.000.tar.gz
http://www.webmin.com/udownload.html

Webmin Usermin 0.93

Webmin usermin-1.000.tar.gz
http://www.webmin.com/udownload.html

Webmin Usermin 0.94

Webmin usermin-1.000.tar.gz
http://www.webmin.com/udownload.html

Webmin Usermin 0.95

Webmin usermin-1.000.tar.gz
http://www.webmin.com/udownload.html

Webmin Usermin 0.96

Webmin usermin-1.000.tar.gz
http://www.webmin.com/udownload.html

Webmin Usermin 0.97

MandrakeSoft webmin-0.970-2.1mdk.noarch.rpm
Linux-Mandrake 7.2
http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft webmin-0.970-2.1mdk.noarch.rpm
Single Network Firewall 7.2
http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft webmin-0.970-2.2mdk.noarch.rpm
Mandrake Linux 8.0
http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft webmin-0.970-2.2mdk.noarch.rpm
Mandrake Linux 8.0/PPC
http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft webmin-0.970-2.3mdk.noarch.rpm
Mandrake Linux 8.1
http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft webmin-0.970-2.3mdk.noarch.rpm
Mandrake Linux 8.1/IA64
http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft webmin-0.970-2.3mdk.noarch.rpm
Mandrake Linux 8.2
http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft webmin-0.970-2.3mdk.noarch.rpm
Mandrake Linux 8.2/PPC
http://www.mandrakesecure.net/en/ftp.php

Webmin usermin-1.000.tar.gz
http://www.webmin.com/udownload.html

Webmin Webmin 0.970

MandrakeSoft webmin-0.970-2.1mdk.noarch.rpm
Linux-Mandrake 7.2
http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft webmin-0.970-2.1mdk.noarch.rpm
Single Network Firewall 7.2
http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft webmin-0.970-2.2mdk.noarch.rpm
Mandrake Linux 8.0
http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft webmin-0.970-2.2mdk.noarch.rpm
Mandrake Linux 8.0/PPC
http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft webmin-0.970-2.3mdk.noarch.rpm
Mandrake Linux 8.1
http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft webmin-0.970-2.3mdk.noarch.rpm
Mandrake Linux 8.1/IA64
http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft webmin-0.970-2.3mdk.noarch.rpm
Mandrake Linux 8.2
http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft webmin-0.970-2.3mdk.noarch.rpm
Mandrake Linux 8.2/PPC
http://www.mandrakesecure.net/en/ftp.php

Webmin Usermin 0.98

Webmin usermin-1.000.tar.gz
http://www.webmin.com/udownload.html

Webmin Usermin 0.99

MandrakeSoft webmin-0.990-6.1mdk.noarch.rpm
Mandrake Linux 9.0
http://www.mandrakesecure.net/en/ftp.php

Webmin usermin-1.000.tar.gz
http://www.webmin.com/udownload.html

Webmin Webmin 1.0 50

Webmin webmin-1.070.tar.gz
http://www.webmin.com/download.html

Webmin Webmin 1.0 60

Webmin webmin-1.070.tar.gz
http://www.webmin.com/download.html

EnGarde Guardian Digital WebTool 1.2

Engarde Secure Linux WebTool-1.2-1.0.74.noarch.rpm
http://ftp.engardelinux.org/pub/engarde/stable/updates/noarch/WebTool- 1.2-1.0.74.noarch.rpm

Engarde Secure Linux WebTool-userpass-1.2-1.0.74.noarch.rpm
http://ftp.engardelinux.org/pub/engarde/stable/updates/noarch/WebTool- userpass-1.2-1.0.74.noarch.rpm

HP Apache-Based Web Server 1.3.27 .00

HP Apache-Based Web Server 1.3.27.01
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProdu ctInfo.pl?productNumber=B9415AA132701

SCO OpenLinux Workstation 3.1.1

SCO webmin-0.89-12.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-03 5.0/RPMS/webmin-0.89-12.i386.rpm

SCO OpenLinux Server 3.1.1

SCO webmin-0.89-12.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-035.0/R PMS/webmin-0.89-12.i386.rpm

SGI IRIX 6.5

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.1

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.10

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.11

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.12

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.13

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.14

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.15

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.16

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.17

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.18

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.19

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.2

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.3

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.4

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.5

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.6

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.7

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.8

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist

SGI IRIX 6.5.9

SGI websetup.tardist
ftp://patches.sgi.com/support/free/security/patches/6.5.20/websetup.ta rdist