Detectify got 2 XSS on Virtualmin/Webmin

neocydfr · January 23, 2013, 12:46pm

Hi,

I’ve recently used Detectify app on my website.

All was ok on my website but not on all my server. The only exploits found was… on Virtualmin

2x XSS
Can be used in order to grab cookies, cause run-by attacks, phishing, browser based exploitation or tabnabbing.

URL : https://domain.tld:20000/session_login.cgi
URL : https://domain.tld:10000/session_login.cgi

COOKIES: PHPSESSID=0ijbf57f8en02mn98euc580q16; testing=1
POST: page=%2F&user=%22%2F%3E%3Cdetectify%3EknVqAc1DF8&pass=&save=1

Username Password

And 2x Input AutoComplete The input appears to be used for confidential data, however autocomplete is still activated. In case of a Cross-Site Scriping (XSS) incident; such data may be siphoned by the attacker if you’ve previously entered it into the input.


URL : https://domain.tld:20000/session_login.cgi

URL : https://domain.tld:10000/session_login.cgi
COOKIES: PHPSESSID=0ijbf57f8en02mn98euc580q16; testing=1

POST: page=%252F&user=&pass=&save=1
  
   
     You must enter a username and password to login to the Usermin server on monsterwin.fr.  
    
    
   <input class=‘ui_checkbox’ type=ch…
You can test on detectify.com
Thanks.

Jamie · January 23, 2013, 5:45pm

Which webmin version are you running there? When I tried this, all that happened was that appeared in the username field, which doesn’t seem like an exploit to me …

neocydfr · January 24, 2013, 4:08am

Webmin version 1.610
Virtualmin version 3.97.gpl GPL

Jamie · January 24, 2013, 5:13am

Do you have an example wget or similar command that can demonstrate this attack? I think that detectify.com is giving false positives.

For example, in the HTML :


 Username    
Password

the  tag is inside quotes.