From: KMAN <mai...@ho...> - 2001-05-30 03:41:41
|
I found this on bugtraq. -kittiwat ----- Original Message ----- From: "Marcus Meissner" <Mar...@ca...> To: "J. Nick Koston" <ni...@bu...> Cc: <bu...@se...> Sent: Tuesday, May 29, 2001 9:14 PM Subject: Re: Webmin Doesn't Clean Env (root exploit) > On Sat, May 26, 2001 at 04:55:35PM -0400, J. Nick Koston wrote: > > Not sure if this is known, however I know I've seen quite a few people > > still using webmin 0.84. > > > > Webmin doesn't seem to clean the env properly when starting apache > > (probably in other cases as well) > > > > It leaves the var HTTP_AUTHORIZATION set. All you need to do is run > > it though a mime 64 decode and you have the login and password to > > webmin. (it also leaves SERVER_PORT set so there should be no problem > > figuring out where the webmin is) > > This is also a problem with newer versions. > > While it now uses a Cookie to save authorization information, this cookie > is passed to apache as environment variable and could be queried, environment > variable is: > > HTTP_COOKIE=sid=1054633991 > > If you have this session id, you can attach to a running webmin session > easily (for instance if the administrator forgot to logoff and just quitted > his browser or has it still open). > > Ciao, Marcus > -- > _____ ___ > / __/____/ / Caldera (Deutschland) GmbH > / /_/ __ / /__ Naegelsbachstr. 49c, 91052 Erlangen > /_____//_/ /____/ Dipl. Inf. Marcus Meissner, email: mm...@ca... > ==== /_____/ ====== phone: ++49 9131 7912-300, fax: ++49 9131 7192-399 > Caldera OpenLinux > |
From: Joe C. <jo...@sw...> - 2001-05-31 03:23:35
|
Known issue. A preliminary fixed version of miniserv.pl has been released on the updates page, and the problem is under discussion on the devel list. Jamie will address it completely in version 0.86. Note this is primarily a problem with boxes that have untrusted user accounts (meaning, things like hosting boxes, and such where users that are not part of your organization have shell accounts). So, for example, I don't have any problems with this issue at the moment because all of the boxes I use Webmin on have no user shell accounts. MAN wrote: > I found this on bugtraq. > > -kittiwat > > ----- Original Message ----- > From: "Marcus Meissner" <Mar...@ca...> > To: "J. Nick Koston" <ni...@bu...> > Cc: <bu...@se...> > Sent: Tuesday, May 29, 2001 9:14 PM > Subject: Re: Webmin Doesn't Clean Env (root exploit) > > > >>On Sat, May 26, 2001 at 04:55:35PM -0400, J. Nick Koston wrote: >> >>>Not sure if this is known, however I know I've seen quite a few >>> > people > >>>still using webmin 0.84. >>> >>>Webmin doesn't seem to clean the env properly when starting apache >>>(probably in other cases as well) >>> >>>It leaves the var HTTP_AUTHORIZATION set. All you need to do is run >>>it though a mime 64 decode and you have the login and password to >>>webmin. (it also leaves SERVER_PORT set so there should be no >>> > problem > >>>figuring out where the webmin is) >>> >>This is also a problem with newer versions. >> >>While it now uses a Cookie to save authorization information, this >> > cookie > >>is passed to apache as environment variable and could be queried, >> > environment > >>variable is: >> >>HTTP_COOKIE=sid=1054633991 >> >>If you have this session id, you can attach to a running webmin >> > session > >>easily (for instance if the administrator forgot to logoff and just >> > quitted > >>his browser or has it still open). -- Joe Cooper <jo...@sw...> Affordable Web Caching Proxy Appliances http://www.swelltech.com |
From: KMAN <mai...@ho...> - 2001-05-31 04:28:59
|
Oops. Sorry, I posted to the wrong list. It was supposed to go to the dev-list. Anyway, looks like you guys have found a way to fix it now! :-) cheers, -kittiwat From: "Joe Cooper" <jo...@sw...> > Known issue. A preliminary fixed version of miniserv.pl has been > released on the updates page, and the problem is under discussion on the > devel list. Jamie will address it completely in version 0.86. > > Note this is primarily a problem with boxes that have untrusted user > accounts (meaning, things like hosting boxes, and such where users that > are not part of your organization have shell accounts). So, for > example, I don't have any problems with this issue at the moment because > all of the boxes I use Webmin on have no user shell accounts. |