mailing list archives
Re: Webmin Doesn't Clean Env (root exploit)
From: Eugene Tsyrklevich <eugene () securityarchitects com>
Date: Mon, 28 May 2001 12:43:13 -0700
I have also found several security bugs in the older webmin releases (< 0.82).
If you are still running an older version, you are _strongly_ recommended to
upgrade. Some of the bugs found included execution of arbitrary commands
and arbitrary directory traversals. The bugs were fixed in webmin 0.82.
On Sat, May 26, 2001 at 04:55:35PM -0400, J. Nick Koston wrote:
Not sure if this is known, however I know I've seen quite a few people
still using webmin 0.84.
Webmin doesn't seem to clean the env properly when starting apache
(probably in other cases as well)
It leaves the var HTTP_AUTHORIZATION set. All you need to do is run
it though a mime 64 decode and you have the login and password to
webmin. (it also leaves SERVER_PORT set so there should be no problem
figuring out where the webmin is)
You can best see the effects by:
1. Kill Apache
2. Start Apache will webmin
3. Goto a <?php phpinfo() ?> page and look at the vars
The good news is that webmin 0.85 doesn't seem to have this problem
because if doesn't use the same type of auth. This only seems to
affect webmin 0.84 and earlier.