Usermin – Read Mail Module Hardlink Arbitrary File Access (R911-0171)

Type: Hardlink Arbitrary File Access
Location: Local
Impact: High
Product: Usermin
Website: http://www.webmin.com/usermin.html
Vulnerable Version: 1.630
Fixed Version: 1.640
CVE: CVE-2015-1377
R911: 0171
Date: 2015-01-27
By: RACK911

Product Description:

Usermin is a web-based interface for webmail, password changing, mail filters, fetchmail and much more. It is designed for use by regular non-root users on a Unix system, and limits them to tasks that they would be able to perform if logged in via SSH or at the console.

Vulnerability Description:

It is possible for a malicious user to view any file on the server, including root owned files, by creating a hardlink under the user accessible mail directory which will then be rendered within Usermin.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that sensitive information can be obtained.

Vulnerable Version:

This vulnerability was tested against Usermin 1.630.

Fixed Version:

This vulnerability was patched in Usermin 1.640.

Vendor Contact Timeline:

2014-12-09: Vendor contacted via email.
2014-12-09: Vendor confirms vulnerability.
2015-01-01: Vendor issues 1.640 update.
2015-01-27: RACK911 issues security advisory.