Usermin is a companion product to Webmin which allows normal users to configure their own accounts using a web interface similar to that of Webmin.
Webmin and Usermin come with a miniature HTTP server written in PERL, and many Common Gateway Interface (CGI) programs which perform various system administration tasks.
2/26/03
CAN 2003-0101
Webmin 1.060 and earlier and Usermin 0.990 and earlier do
not properly check for line feed and carriage return characters
included in the encoded Basic authentication header.
This could allow a remote user to log into the administrative
account with a spoofed session ID. Then, it would be possible
to access the web interface with administrative privileges
by including the spoofed session ID in a cookie which is
sent by the browser to the Webmin or Usermin server. This
could lead to remote command execution with root
privileges.
In order for this vulnerability to be exploited, a valid user name must be known, Enable Password Timeouts must be selected, and Webmin->Configuration->Authentication must be selected for Webmin.
6/3/02
CAN 2002-0757
Normally, all users are required to provide a login and
password before gaining access to Webmin. However,
Webmin versions prior to 0.970 have a
vulnerability whereby authentication can be bypassed.
A remote attacker could exploit this condition to gain
access as any user. Once access is gained, the attacker
could add or change user accounts or
start or reconfigure network services.