Improper Access Control in File Manager module in webmin/webmin
Reported on
Feb 20th 2022
Description
In Webmin 1.984, any authenticated low privilege user who did not have access to the File Manager module could interact with a variety of file manager capabilities such as modifying file ownership (chown), viewing file properties, listing or deleting files and directories on the server. It is possible to change current file system ownership, such as /etc/shadow, to make it a world-readable file, exposing it susceptible to local privilege escalation vectors.
Proof of Concept
Affected endpoint:
1 POST http://{HOST}/extensions/file-manager/chown.cgi
2 POST http://{HOST}/extensions/file-manager/search.cgi
3 POST http://{HOST}/extensions/file-manager/tree.cgi
4 POST http://{HOST}/extensions/file-manager/list.cgi
5 POST http://{HOST}/xhr.cgi
6 POST http://{HOST}/extensions/file-manager/delete.cgi
7 POST http://{HOST}/extensions/file-manager/create_file.cgi
8 POST http://{HOST}/extensions/file-manager/rename.cgi
~
Impact
This vulnerability is capable of modifying the OS file system, listing or deleting files on the server and local privilege escalation vectors.
This looks to be the same vulnerability as your other report?
Unfortunately, the previous patch doesn't work. I try to retest then discover new affected endpoints.
Update,
most of the endpoints are fixed in webmin v1.985 deb. However, there is only one endpoint affected, http://$HOST/xhr.cgi?type=file&action=stat&file=/etc/passwd&module=filemin
That XHR issue is fixed by https://github.com/authentic-theme/authentic-theme/commit/1c25cc9c37d011c62eb0de85d471ad353f6719b3