Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Webmin Doesn't Clean Env (root exploit)
From: Eugene Tsyrklevich <eugene () securityarchitects com>
Date: Mon, 28 May 2001 12:43:13 -0700

I have also found several security bugs in the older webmin releases (< 0.82).
If you are still running an older version, you are _strongly_ recommended to
upgrade. Some of the bugs found included execution of arbitrary commands
and arbitrary directory traversals. The bugs were fixed in webmin 0.82.

eugene


On Sat, May 26, 2001 at 04:55:35PM -0400, J. Nick Koston wrote:
Not sure if this is known, however I know I've seen quite a few people
still using webmin 0.84.

Webmin doesn't seem to clean the env properly when starting apache
(probably in other cases as well)

It leaves the var HTTP_AUTHORIZATION set.  All you need to do is run
it though a mime 64 decode and you have the login and password to
webmin.  (it also leaves SERVER_PORT set so there should be no problem
figuring out where the webmin is)

You can best see the effects by:

1. Kill Apache
2. Start Apache will webmin
3. Goto a <?php phpinfo() ?> page and look at the vars

The good news is that webmin 0.85 doesn't seem to have this problem
because if doesn't use the same type of auth.  This only seems to
affect webmin 0.84 and earlier.


            Nick


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault