we use Webmin to allow a user to manage his print queue
passing the name of the printer to the form.
We saw that it's possible to run arbitrary code on the
machine where webmin is installed adding a ';command'
to the printer name
string passed=b000';cat /etc/passwd'
will show the contents of the passwd file and then show
the status of the printer b000.
the batch file that run.cgi create in /tmp is:
when the batch file is executed the value b000 is
assigned to the variable prn an then the command cat
/etc/passwd is executed.
I hope this informations can help you to solve the problem.
Enrico Mignani (firstname.lastname@example.org)