Home page logo

bugtraq logo Bugtraq mailing list archives

Webmin Doesn't Clean Env (root exploit)
From: "J. Nick Koston" <nick () burst net>
Date: Sat, 26 May 2001 16:55:35 -0400

Not sure if this is known, however I know I've seen quite a few people
still using webmin 0.84.

Webmin doesn't seem to clean the env properly when starting apache
(probably in other cases as well)

It leaves the var HTTP_AUTHORIZATION set.  All you need to do is run
it though a mime 64 decode and you have the login and password to
webmin.  (it also leaves SERVER_PORT set so there should be no problem
figuring out where the webmin is)

You can best see the effects by:

1. Kill Apache
2. Start Apache will webmin
3. Goto a <?php phpinfo() ?> page and look at the vars

The good news is that webmin 0.85 doesn't seem to have this problem
because if doesn't use the same type of auth.  This only seems to
affect webmin 0.84 and earlier.


<snip from phpinfo (some vars removed to protect the innocent)>

         Variable                                Value
PHP_SELF                    /test.php
HTTP_SERVER_VARS            /usr/local/apache/htdocs
HTTP_SERVER_VARS            text/*, image/*, audio/*, application/*
HTTP_SERVER_VARS            gzip, compress, bzip, bzip2, deflate
HTTP_SERVER_VARS            en; q=1.0
HTTP_SERVER_VARS            localhost
HTTP_SERVER_VARS            w3m/0.2.1


HTTP_SERVER_VARS            56523

HTTP_SERVER_VARS            /usr/local/apache/htdocs/test.php

HTTP_SERVER_VARS            80                             
HTTP_SERVER_VARS            Apache/1.3.17 (Unix) PHP/4.0.4pl1
HTTP_SERVER_VARS            CGI/1.1 
HTTP_SERVER_VARS            HTTP/1.0
HTTP_SERVER_VARS            GET     
HTTP_SERVER_VARS            /test.php
HTTP_SERVER_VARS            /usr/local/apache/htdocs/test.php

HTTP_SERVER_VARS            /test.php 
HTTP_SERVER_VARS["argv"]    Array
HTTP_SERVER_VARS["argc"]    0
HTTP_ENV_VARS               10000    

HTTP_ENV_VARS               CGI/1.1                     
HTTP_ENV_VARS["PWD"]        /root/webmin-0.84/apache/
HTTP_ENV_VARS               Mozilla/5.0 (X11; U; Linux 2.4.2 i686;
["HTTP_USER_AGENT"]         rv:0.9) Gecko/20010505         
HTTP_ENV_VARS               http://localhost:10000/apache/              
HTTP_ENV_VARS["HTTP_HOST"]  localhost:10000                  
HTTP_ENV_VARS               Basic YWRtaW46ZGF2ZQ==
HTTP_ENV_VARS               keep-alive
HTTP_ENV_VARS               gzip,deflate,compress,identity      
HTTP_ENV_VARS               /root/webmin-0.84


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]