QwikSec

Security Database

CVE

CWE

Training

CVE-2006-3392

Published: Jul 6, 2006

Modified: Aug 7, 2024

PUBLISHED

Description

Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using "..%01" sequences, which bypass the removal of "../" sequences before bytes such as "%01" are removed from the filename. NOTE: This is a different issue than CVE-2006-3274.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

third-party-advisory

x_refsource_SECUNIA

vendor-advisory

x_refsource_GENTOO

http://www.webmin.com/changes.html

x_refsource_CONFIRM

20060710 Re: Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit

mailing-list

x_refsource_BUGTRAQ

third-party-advisory

x_refsource_SECUNIA

vdb-entry

x_refsource_BID

20060715 Webmin / Usermin Arbitrary File Disclosure Vulnerability Perl

mailing-list

x_refsource_BUGTRAQ

20060715 Re: Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit

mailing-list

x_refsource_BUGTRAQ

third-party-advisory

x_refsource_CERT-VN

vendor-advisory

x_refsource_DEBIAN

20060630 Webmin traversal - changelog

mailing-list

x_refsource_VIM

third-party-advisory

x_refsource_SECUNIA

vendor-advisory

x_refsource_MANDRIVA

vdb-entry

x_refsource_VUPEN

20060709 Webmin / Usermin Arbitrary File Disclosure Vulnerability exploit

mailing-list

x_refsource_BUGTRAQ

vdb-entry

x_refsource_OSVDB

third-party-advisory

x_refsource_SECUNIA

20060711 Re: Webmin traversal - changelog

mailing-list

x_refsource_VIM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.