[Full-disclosure] Webmin miniserv.pl format string vulnerability
Bernhard Mueller
research at sec-consult.com
Tue Nov 29 18:26:39 GMT 2005
As it says on http://www.dyadsecurity.com/s_advisory.html:
PUBLISHED ADVISORIES.
Webmin
Date Found: September 23, 2005.
Public Release: November 29, 2005.
Application: webmin miniserv.pl, all known versions
Details: Webmin 0001 Advisory
UPCOMING ADVISORIES.
Perl
Description: Cross platform programming language.
Affected: To be announced.
Release Date: To be announced.
I guess we can expect some kind of "code execution thru perl sprintf"
advisory.
advisory at dyadsecurity.com wrote:
> SUMMARY. The webmin `miniserv.pl' web server component is vulnerable to
> a new class of exploitable (remote code) perl format string
> vulnerabilities. During the login process it is possible to trigger this
>(...)
>
> A generic remote code execution exploit method has been developed by a
> third party that is reachable though this hole itself.
>
Full-Disclosure is hosted and sponsored by Secunia.