cbcvebase.
CVE-2006-3392
published 2006-07-06

CVE-2006-3392: Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as…

PriorityP351medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
77.95%
99.5th percentile
Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using "..%01" sequences, which bypass the removal of "../" sequences before bytes such as "%01" are removed from the filename. NOTE: This is a different issue than CVE-2006-3274.

Affected

2 ranges
VendorProductVersion rangeFixed in
userminusermin<= 1.210
webminwebmin<= 1.2.80

Detection & IOCsextracted from sources · hover to see the quote

url/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd
path/unauthenticated/
bytes
..%01
  • Look for HTTP GET requests targeting the '/unauthenticated/' path containing '..%01' sequences, which are the encoded path traversal bypass used to escape directory restrictions before HTML decoding occurs.
  • The exploit repeats '..%01' approximately 40 times in the URL path to ensure traversal to the filesystem root regardless of working directory depth.
  • No authentication is required to exploit this vulnerability; monitor for unauthenticated requests to Webmin/Usermin containing percent-encoded traversal sequences in the URL.
  • Successful exploitation returns file contents (e.g., /etc/passwd) in the HTTP 200 response body; match response body for 'root:.*:0:0:' pattern to confirm exploitation.
  • Shodan/FOFA fingerprinting for exposed Webmin instances can be performed using the title 'webmin' to identify potentially vulnerable targets.
  • ·The vulnerability affects Webmin versions strictly prior to 1.290 and Usermin versions strictly prior to 1.220; patched versions are not exploitable via this technique.
  • ·This is a distinct issue from CVE-2006-3274; detection rules should not conflate the two vulnerabilities even though both affect Webmin path handling.
  • ·The exploit works over both HTTP and HTTPS; detection must cover both protocols on the Webmin/Usermin listening port (default 10000).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.