CVE-2019-15641 – Authenticated XXE on Webmin <= 1.930

Published on: Jul 30 2019 by Loïc


From :

Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from the console or remotely. See the standard modules page for a list of all the functions built into Webmin.

By default, endpoint xmlrpc.cgi is enabled with basic auth, but only 3 users can POST data :

  • root ;
  • admin ;
  • sysadm.
User restriction in xmlrpc.cgi

As its name suggests, the service handle XML messages. The Perl XML::Parser is used, without preventing the use of entities :

Parser initialisation in xmlrpc.cgi


Because of this permissive parser, a successfully logged attacker can exploit a XXE in order to retrieve local file or discover internal networks with root rights. Simple XXE payloads can be used, for exemple :

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE methodCall [
    <!ENTITY file SYSTEM "file:///etc/passwd">


Filed under: Headlines
Tags: , , , , ,

Leave a Reply