Bug 27459

Summary: webmin new security issues CVE-2020-882[01] and CVE-2020-12670
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: nicolas.salguero, ouaurelien, smelror, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: webmin-1.930-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-10-21 20:52:21 CEST 
Webmin 1.941 fixed three security issues:
https://www.webmin.com/security.html

It was released in January but the security issues weren't announced until some unknown time later.  Change log for other changes is here:
https://www.webmin.com/changes.html
Comment 1 Aurelien Oudelet 2020-10-25 18:48:20 CET 
Hi, thanks for reporting this bug.
Assigned to all package maintainers as no registered one.
CC'd recent commiters.
(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
CC: (none) => smelror
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2020-11-04 10:23:16 CET 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster Shell Commands Endpoint. A user may enter any XSS Payload into the Command field and execute it. Then, after revisiting the Cluster Shell Commands Menu, the XSS Payload will be rendered and executed. (CVE-2020-8820)

An Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier affecting the Command Shell Endpoint. A user may enter HTML code into the Command field and submit it. Then, after visiting the Action Logs Menu and displaying logs, the HTML code will be rendered (however, JavaScript is not executed). Changes are kept across users. (CVE-2020-8821)

XSS exists in Webmin 1.941 and earlier affecting the Save function of the Read User Email Module / mailboxes Endpoint when attempting to save HTML emails. This module parses any output without sanitizing SCRIPT elements, as opposed to the View function, which sanitizes the input correctly. A malicious user can send any JavaScript payload into the message body and execute it if the user decides to save that email. (CVE-2020-12670)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8820
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8821
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12670
https://www.webmin.com/security.html
https://www.webmin.com/changes.html
========================

Updated package in core/updates_testing:
========================
webmin-1.941-1.mga7

from SRPM:
webmin-1.941-1.mga7.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Keywords: Triaged => (none)
Assignee: pkg-bugs => qa-bugs

Comment 3 David Walser 2020-11-04 12:46:23 CET 
Those CVE descriptions make it sound like we need to update *past* 1.941.  I don't see a reason to not update to the latest version.
Comment 4 Nicolas Salguero 2020-11-04 14:04:54 CET 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster Shell Commands Endpoint. A user may enter any XSS Payload into the Command field and execute it. Then, after revisiting the Cluster Shell Commands Menu, the XSS Payload will be rendered and executed. (CVE-2020-8820)

An Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier affecting the Command Shell Endpoint. A user may enter HTML code into the Command field and submit it. Then, after visiting the Action Logs Menu and displaying logs, the HTML code will be rendered (however, JavaScript is not executed). Changes are kept across users. (CVE-2020-8821)

XSS exists in Webmin 1.941 and earlier affecting the Save function of the Read User Email Module / mailboxes Endpoint when attempting to save HTML emails. This module parses any output without sanitizing SCRIPT elements, as opposed to the View function, which sanitizes the input correctly. A malicious user can send any JavaScript payload into the message body and execute it if the user decides to save that email. (CVE-2020-12670)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8820
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8821
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12670
https://www.webmin.com/security.html
https://www.webmin.com/changes.html
========================

Updated package in core/updates_testing:
========================
webmin-1.960-1.mga7

from SRPM:
webmin-1.960-1.mga7.src.rpm
Comment 5 Aurelien Oudelet 2020-11-05 18:33:50 CET 
Installing webmin-1.960-1.mga7 under M7 Plasma x86_64.
No error.

Make sure restart service (systemctl restart webmin)
Open Firefox pointing to https://localhost:10000
and runs some modules.

Config SSH for example. OK.
All Modules are OK. Changing language is OK.
No regression.

MGA7-64-OK for me.
Validating update.

Advisory pushed to SVN.

CC: (none) => ouaurelien, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory, validated_update

Comment 6 Mageia Robot 2020-11-08 15:15:52 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0400.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED