Improper Access Control in File Manager module in webmin/webmin


Reported on

Feb 20th 2022


In Webmin 1.984, any authenticated low privilege user who did not have access to the File Manager module could interact with a variety of file manager capabilities such as modifying file ownership (chown), viewing file properties, listing or deleting files and directories on the server. It is possible to change current file system ownership, such as /etc/shadow, to make it a world-readable file, exposing it susceptible to local privilege escalation vectors.

Proof of Concept

Affected endpoint:

1 POST http://{HOST}/extensions/file-manager/chown.cgi

2 POST http://{HOST}/extensions/file-manager/search.cgi

3 POST http://{HOST}/extensions/file-manager/tree.cgi

4 POST http://{HOST}/extensions/file-manager/list.cgi

5 POST http://{HOST}/xhr.cgi

6 POST http://{HOST}/extensions/file-manager/delete.cgi

7 POST http://{HOST}/extensions/file-manager/create_file.cgi

8 POST http://{HOST}/extensions/file-manager/rename.cgi



This vulnerability is capable of modifying the OS file system, listing or deleting files on the server and local privilege escalation vectors.

We are processing your report and will contact the webmin team within 24 hours. a year ago
We have contacted a member of the webmin team and are waiting to hear back a year ago
webmin validated this vulnerability a year ago
Faisal Fs ⚔️ has been awarded the disclosure bounty
The fix bounty is now up for grabs
a year ago


This looks to be the same vulnerability as your other report?

Faisal Fs ⚔️
a year ago


Unfortunately, the previous patch doesn't work. I try to retest then discover new affected endpoints.

Faisal Fs ⚔️
a year ago



most of the endpoints are fixed in webmin v1.985 deb. However, there is only one endpoint affected, http://$HOST/xhr.cgi?type=file&action=stat&file=/etc/passwd&module=filemin

We have sent a fix follow up to the webmin team. We will try again in 7 days. a year ago
a year ago


That XHR issue is fixed by

We have sent a second fix follow up to the webmin team. We will try again in 10 days. a year ago
webmin marked this as fixed in 1.990 with commit 39ea46 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
create_folder.cgi#L8-L28 has been validated
create_file.cgi#L8-L28 has been validated
rename.cgi#L6-L19 has been validated
delete.cgi#L4-L20 has been validated
to join this conversation