CVE-2012-2982
published 2012-09-11CVE-2012-2982: file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as…
PriorityP259medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
61.92%
99.1th percentile
file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as demonstrated by a | (pipe) character.
Affected
39 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gentoo | webmin | <= 1.590 | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
| gentoo | webmin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by inspecting HTTP GET requests to /file/show.cgi containing a pipe character '|' in the URI path, which is the injection vector for arbitrary command execution. ↗
- →Monitor for POST requests to /session_login.cgi followed immediately by a GET to /file/show.cgi/bin/<random>|<command>| on port 10000 (default Webmin port), indicating automated exploitation (e.g., Metasploit module). ↗
- →Alert on HTTP 302 responses from /session_login.cgi that set a 'sid' cookie, followed by requests to /file/show.cgi containing pipe characters — this two-step pattern is the full exploit authentication + execution flow. ↗
- →Flag HTTP 200 responses from /file/show.cgi with message body matching 'Document follows', as this indicates successful command execution by the exploit. ↗
- →The exploit requires an authenticated session with access to the File Manager Module; monitor for privilege escalation to root from Webmin file manager sessions. ↗
- ·Exploitation requires valid Webmin credentials (authenticated attack); unauthenticated access alone is insufficient to trigger the vulnerability. ↗
- ·The Metasploit module defaults to SSL on port 10000; detections should account for TLS-encrypted traffic on this port when deploying network-based signatures. ↗
- ·The vulnerability affects Webmin 1.590 and earlier (module tested on 1.580); versions above 1.590 are not affected by this specific code path. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hh2h-5vcr-gr3x: Multiple cross-site request forgery (CSRF) vulnerabilities in file/show
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2012-4893 [MEDIUM] CWE-352 GHSA-hh2h-5vcr-gr3x: Multiple cross-site request forgery (CSRF) vulnerabilities in file/show
Multiple cross-site request forgery (CSRF) vulnerabilities in file/show.cgi in Webmin 1.590 and earlier allow remote attackers to hijack the authentication of privileged users for requests that (1) read files or execute (2) tar, (3) zip, or (4) gzip commands, a different issue than CVE-2012-2982.
GHSA
GHSA-vpgr-2w9j-94m5: file/show
ghsa_unreviewed·2022-05-17
CVE-2012-2982 [MEDIUM] GHSA-vpgr-2w9j-94m5: file/show
file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as demonstrated by a | (pipe) character.
No detection rules found.
Exploit-DB
Webmin 1.580 - '/file/show.cgi' Remote Command Execution (Metasploit)
exploitdb·2012-10-10
CVE-2012-2982 Webmin 1.580 - '/file/show.cgi' Remote Command Execution (Metasploit)
Webmin 1.580 - '/file/show.cgi' Remote Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Webmin /file/show.cgi Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in Webmin
1.580. The vulnerability exists in the /file/show.cgi component and allows an
authenticated user, with access to the File Manager Module, to execute arbitrary
commands with root privileges. The module has been tested successfully with Webim
1.580 over Ubuntu 10.04.
},
'Author' => [
'Unknown', # From A
Metasploit
Webmin /file/show.cgi Remote Command Execution
metasploit
Webmin /file/show.cgi Remote Command Execution
Webmin /file/show.cgi Remote Command Execution
This module exploits an arbitrary command execution vulnerability in Webmin 1.580. The vulnerability exists in the /file/show.cgi component and allows an authenticated user, with access to the File Manager Module, to execute arbitrary commands with root privileges. The module has been tested successfully with Webmin 1.580 over Ubuntu 10.04.
http://americaninfosec.com/research/index.htmlhttp://www.americaninfosec.com/research/dossiers/AISG-12-001.pdfhttp://www.kb.cert.org/vuls/id/788478http://www.securitytracker.com/id?1027507http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdfhttps://github.com/webmin/webmin/commit/1f1411fe7404ec3ac03e803cfa7e01515e71a213http://americaninfosec.com/research/index.htmlhttp://www.americaninfosec.com/research/dossiers/AISG-12-001.pdfhttp://www.kb.cert.org/vuls/id/788478http://www.securitytracker.com/id?1027507http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdfhttps://github.com/webmin/webmin/commit/1f1411fe7404ec3ac03e803cfa7e01515e71a213
2012-09-11
Published