Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Webmin Doesn't Clean Env (root exploit)
From: Marcus Meissner <Marcus.Meissner () caldera de>
Date: Tue, 29 May 2001 16:14:06 +0200

On Sat, May 26, 2001 at 04:55:35PM -0400, J. Nick Koston wrote:
Not sure if this is known, however I know I've seen quite a few people
still using webmin 0.84.

Webmin doesn't seem to clean the env properly when starting apache
(probably in other cases as well)

It leaves the var HTTP_AUTHORIZATION set.  All you need to do is run
it though a mime 64 decode and you have the login and password to
webmin.  (it also leaves SERVER_PORT set so there should be no problem
figuring out where the webmin is)

This is also a problem with newer versions.

While it now uses a Cookie to save authorization information, this cookie
is passed to apache as environment variable and could be queried, environment
variable is:

        HTTP_COOKIE=sid=1054633991

If you have this session id, you can attach to a running webmin session
easily (for instance if the administrator forgot to logoff and just quitted
his browser or has it still open).

Ciao, Marcus
-- 
      _____     ___
     /  __/____/  /                Caldera (Deutschland) GmbH
    /  /_/ __  / /__          Naegelsbachstr. 49c, 91052 Erlangen
   /_____//_/ /____/       Dipl. Inf. Marcus Meissner, email: mm () caldera de
  ==== /_____/ ======    phone: ++49 9131 7912-300, fax: ++49 9131 7192-399
   Caldera OpenLinux


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]