=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN522
_____________________________________________________________________

DATE                      : 10/12/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Webmin versions prior to 1.500,
                               Usermin prior to 1.430.

======================================================================
http://www.webmin.com/security.html
______________________________________________________________________

XSS (cross-site scripting) security hole

Affects Webmin versions up to 1.500, and Usermin up to 1.430.
    This attack could open users who visit un-trusted websites while
having Webmin open in the same browser up to having their session cookie
captured, which could then allow an attacker to login to Webmin without a
password.

Thanks to Ryan Giobbi for finding this.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================