2008-07-25 05:44:00

Webmin: It is fixed if we say so

On July 25th I looked a bit into an older Webmin vulnerability, hoping to fix it for the older version of webmin shipped in pkgsrc. However, as it turned out, CVE-2008-0720 affected “almost every single search field». Looking a bit through the search CGIs I quickly found a cross site scripting issue as well as an URL parameter problem, so I looked into Webmin 1.400 for fixes where the problem was supposed to be fixed.

Being the nice person I am, I created a patch and sent it to the webalizer developers. The response was that there was no issue to be resolved since the referrer check would most likely catch the issues already. Thus, I decided to release information about the issue without further verification. The vendor is king, right?

Find the fixes in the current pkgsrc version.

Posted by Tonnerre Lombard | Permanent link | File under: security, programming