Debian Security Advisory

DSA-526-1 webmin -- several vulnerabilities

Date Reported:
03 Jul 2004
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 10474.
In Mitre's CVE dictionary: CVE-2004-0582, CVE-2004-0583.
More information:

Two vulnerabilities were discovered in webmin:

CAN-2004-0582: Unknown vulnerability in Webmin 1.140 allows remote attackers to bypass access control rules and gain read access to configuration information for a module.

CAN-2004-0583: The account lockout functionality in (1) Webmin 1.140 and (2) Usermin 1.070 does not parse certain character strings, which allows remote attackers to conduct a brute force attack to guess user IDs and passwords.

For the current stable distribution (woody), these problems have been fixed in version 0.94-7woody2.

For the unstable distribution (sid), these problems have been fixed in version 1.150-1.

We recommend that you update your webmin package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Architecture-independent component:
Intel IA-32:

MD5 checksums of the listed files are available in the original advisory.