Bug 27459 - webmin new security issues CVE-2020-882[01] and CVE-2020-12670
Summary: webmin new security issues CVE-2020-882[01] and CVE-2020-12670
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-10-21 20:52 CEST by David Walser
Modified: 2020-11-08 15:15 CET (History)
4 users (show)

See Also:
Source RPM: webmin-1.930-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-10-21 20:52:21 CEST 
Webmin 1.941 fixed three security issues:
https://www.webmin.com/security.html

It was released in January but the security issues weren't announced until some unknown time later.  Change log for other changes is here:
https://www.webmin.com/changes.html
Comment 1 Aurelien Oudelet 2020-10-25 18:48:20 CET 
Hi, thanks for reporting this bug.
Assigned to all package maintainers as no registered one.
CC'd recent commiters.
(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
CC: (none) => smelror
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2020-11-04 10:23:16 CET 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster Shell Commands Endpoint. A user may enter any XSS Payload into the Command field and execute it. Then, after revisiting the Cluster Shell Commands Menu, the XSS Payload will be rendered and executed. (CVE-2020-8820)

An Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier affecting the Command Shell Endpoint. A user may enter HTML code into the Command field and submit it. Then, after visiting the Action Logs Menu and displaying logs, the HTML code will be rendered (however, JavaScript is not executed). Changes are kept across users. (CVE-2020-8821)

XSS exists in Webmin 1.941 and earlier affecting the Save function of the Read User Email Module / mailboxes Endpoint when attempting to save HTML emails. This module parses any output without sanitizing SCRIPT elements, as opposed to the View function, which sanitizes the input correctly. A malicious user can send any JavaScript payload into the message body and execute it if the user decides to save that email. (CVE-2020-12670)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8820
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8821
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12670
https://www.webmin.com/security.html
https://www.webmin.com/changes.html
========================

Updated package in core/updates_testing:
========================
webmin-1.941-1.mga7

from SRPM:
webmin-1.941-1.mga7.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Keywords: Triaged => (none)
Assignee: pkg-bugs => qa-bugs

Comment 3 David Walser 2020-11-04 12:46:23 CET 
Those CVE descriptions make it sound like we need to update *past* 1.941.  I don't see a reason to not update to the latest version.
Comment 4 Nicolas Salguero 2020-11-04 14:04:54 CET 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster Shell Commands Endpoint. A user may enter any XSS Payload into the Command field and execute it. Then, after revisiting the Cluster Shell Commands Menu, the XSS Payload will be rendered and executed. (CVE-2020-8820)

An Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier affecting the Command Shell Endpoint. A user may enter HTML code into the Command field and submit it. Then, after visiting the Action Logs Menu and displaying logs, the HTML code will be rendered (however, JavaScript is not executed). Changes are kept across users. (CVE-2020-8821)

XSS exists in Webmin 1.941 and earlier affecting the Save function of the Read User Email Module / mailboxes Endpoint when attempting to save HTML emails. This module parses any output without sanitizing SCRIPT elements, as opposed to the View function, which sanitizes the input correctly. A malicious user can send any JavaScript payload into the message body and execute it if the user decides to save that email. (CVE-2020-12670)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8820
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8821
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12670
https://www.webmin.com/security.html
https://www.webmin.com/changes.html
========================

Updated package in core/updates_testing:
========================
webmin-1.960-1.mga7

from SRPM:
webmin-1.960-1.mga7.src.rpm
Comment 5 Aurelien Oudelet 2020-11-05 18:33:50 CET 
Installing webmin-1.960-1.mga7 under M7 Plasma x86_64.
No error.

Make sure restart service (systemctl restart webmin)
Open Firefox pointing to https://localhost:10000
and runs some modules.

Config SSH for example. OK.
All Modules are OK. Changing language is OK.
No regression.

MGA7-64-OK for me.
Validating update.

Advisory pushed to SVN.

CC: (none) => ouaurelien, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory, validated_update

Comment 6 Mageia Robot 2020-11-08 15:15:52 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0400.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.