Re: Webmin Doesn't Clean Env (root exploit)

[Eugene Tsyrklevich <eugene () securityarchitects com>]

I have also found several security bugs in the older webmin releases (< 0.82).
If you are still running an older version, you are _strongly_ recommended to
upgrade. Some of the bugs found included execution of arbitrary commands
and arbitrary directory traversals. The bugs were fixed in webmin 0.82.

eugene


On Sat, May 26, 2001 at 04:55:35PM -0400, J. Nick Koston wrote:
> Not sure if this is known, however I know I've seen quite a few people
> still using webmin 0.84.
>
> Webmin doesn't seem to clean the env properly when starting apache
> (probably in other cases as well)
>
> It leaves the var HTTP_AUTHORIZATION set.  All you need to do is run
> it though a mime 64 decode and you have the login and password to
> webmin.  (it also leaves SERVER_PORT set so there should be no problem
> figuring out where the webmin is)
>
> You can best see the effects by:
>
> 1. Kill Apache
> 2. Start Apache will webmin
> 3. Goto a <?php phpinfo() ?> page and look at the vars
>
> The good news is that webmin 0.85 doesn't seem to have this problem
> because if doesn't use the same type of auth.  This only seems to
> affect webmin 0.84 and earlier.
>
>
>             Nick