CVE-2006-3392

EPSS 77.8%

Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using "..%01" sequences, which bypass the removal of "../" sequences before bytes such as "%01" are removed from the filename. NOTE: This is a different issue than CVE-2006-3274.

Affected products

n/a · n/a

public PoCs found — 9

githubgithub.com/IvanGlinkin/CVE-2006-3392★ 14 githubgithub.com/brosck/CVE-2006-3392★ 3 githubgithub.com/0xtz/CVE-2006-3392★ 1 githubgithub.com/g1vi/CVE-2006-3392★ 1 githubgithub.com/kernel-cyber/CVE-2006-3392★ 0 githubgithub.com/Adel-kaka-dz/CVE-2006-3392★ 0 githubgithub.com/gb21oc/ExploitWebmin★ 0 exploitdbwww.exploit-db.com/exploits/1997unverified exploitdbwww.exploit-db.com/exploits/2017unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://attrition.org/pipermail/vim/2006-July/000923.html http://attrition.org/pipermail/vim/2006-June/000912.html http://secunia.com/advisories/20892 http://secunia.com/advisories/21105 http://secunia.com/advisories/21365 http://secunia.com/advisories/22556 http://security.gentoo.org/glsa/glsa-200608-11.xml http://www.debian.org/security/2006/dsa-1199 http://www.kb.cert.org/vuls/id/999601 http://www.mandriva.com/security/advisories?name=MDKSA-2006:125 http://www.osvdb.org/26772 http://www.securityfocus.com/archive/1/439653/100/0/threaded