custom/run.cgi in Webmin before 1.870 allows remote authenticated administrators to conduct XSS attacks via the description field in the custom command functionality.
Webmin, a web-based system administration interface, is vulnerable to Cross-Site Scripting (XSS) attacks. A malicious administrator can inject arbitrary JavaScript code into the application through the custom command functionality, potentially leading to account compromise and system takeover by stealing session cookies or redirecting users to malicious websites.
Step 1: Authentication: The attacker must first authenticate as an administrator in Webmin.
Step 2: Payload Injection: The attacker navigates to the custom command configuration within Webmin and enters a malicious JavaScript payload (e.g., <script>alert('XSS');</script> or more sophisticated code to steal cookies or redirect users) into the description field.
Step 3: Payload Storage: The attacker saves the custom command with the injected payload. The payload is stored in the Webmin configuration data.
Step 4: Victim Interaction: Another administrator views the custom command. The Webmin interface renders the description field, including the attacker's injected JavaScript.
Step 5: Payload Execution: The victim's browser executes the malicious JavaScript payload. This could lead to various attacks, such as cookie theft, session hijacking, or redirection to a phishing site.
The vulnerability stems from insufficient input validation and output encoding within the custom/run.cgi script in Webmin. Specifically, the description field of the custom command functionality is not properly sanitized before being displayed to other administrators. This allows an attacker to inject malicious JavaScript code into the description field. When another administrator views the custom command, the injected JavaScript executes in their browser, leading to XSS. The root cause is a lack of HTML encoding or input validation on the description field, allowing for the injection of arbitrary HTML and JavaScript tags. This allows an attacker to control the context in which the description is rendered, leading to the execution of malicious scripts.