[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Webmin miniserv.pl format string vulnerability
- To: Full Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Webmin miniserv.pl format string vulnerability
- From: Bernhard Mueller <research@xxxxxxxxxxxxxxx>
- Date: Tue, 29 Nov 2005 19:26:39 +0100
As it says on http://www.dyadsecurity.com/s_advisory.html:
PUBLISHED ADVISORIES.
Webmin
Date Found: September 23, 2005.
Public Release: November 29, 2005.
Application: webmin miniserv.pl, all known versions
Details: Webmin 0001 Advisory
UPCOMING ADVISORIES.
Perl
Description: Cross platform programming language.
Affected: To be announced.
Release Date: To be announced.
I guess we can expect some kind of "code execution thru perl sprintf"
advisory.
advisory@xxxxxxxxxxxxxxxx wrote:
> SUMMARY. The webmin `miniserv.pl' web server component is vulnerable to
> a new class of exploitable (remote code) perl format string
> vulnerabilities. During the login process it is possible to trigger this
>(...)
>
> A generic remote code execution exploit method has been developed by a
> third party that is reachable though this hole itself.
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/