CVE-2005-3042 Information

Description

miniserv.pl in Webmin before 1.230 and Usermin before 1.160 when \full PAM conversations\ is enabled allows remote attackers to bypass authentication by spoofing session IDs via certain metacharacters (line feed or carriage return).

Reference

http://archives.neohapsis.com/archives/bugtraq/2005-09/0257.html http://jvn.jp/jp/JVN2340940493/index.html http://secunia.com/advisories/16858 http://secunia.com/advisories/17282 http://securityreason.com/securityalert/17 http://www.gentoo.org/security/en/glsa/glsa-200509-17.xml http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/83_e.html http://www.mandriva.com/security/advisories?name=MDKSA-2005:176 http://www.novell.com/linux/security/advisories/2005_24_sr.html http://www.osvdb.org/19575 http://www.securityfocus.com/bid/14889 http://www.vupen.com/english/advisories/2005/1791 http://www.webmin.com/changes-1.230.html http://www.webmin.com/uchanges-1.160.html