DansGuardian Webmin Module

Tracker: Bugs

9 edit.cgi can read any file of the system - ID: 869509

Last Update: Settings changed ( fuzzbawl )

Details:

I'm using webmin 2.121 with the last devel version of
your module...
If I use the URL:

https://mywebminserver:10000/dansguardian/edit.cgi?file=[FILE]

I can edit any file of my system, like:

https://mywebminserver:10000/dansguardian/edit.cgi?file=/etc/shadow

Is there a way to avoid this and jail my dansguardian
webmin module in /etc/dansguardian ?

Thank you very much and congradulations for your work!

Sorry if this was noticed before...

Submitted:

FIST ( flashsecurity ) - 2004-01-02 19:38

Priority:

Status:

Closed

Resolution:

Fixed

Assigned:

Adam Kennedy

Category:

General

Group:

0.4.x

Visibility:

Public

Comments ( 2 )

Date: 2004-01-07 22:39 Sender: fuzzbawl Logged In: YES user_id=49552 Fixed in CVS. Fixed file is also attached. Version 0.5.9 will be released later this week with fix included. Thanks for finding this!
Date: 2004-01-03 01:46 Sender: fuzzbawl Logged In: YES user_id=49552 That is definately not good. I will modify edit.cgi and verify that all other files are locked to their appropriate directories. I will release a new version hopefully within a week.

Attached File ( 1 )

Filename	Description	Download
edit.cgi		Download

Changes ( 7 )

Field	Old Value	Date	By
allow_comments	1	2009-06-22 00:35	fuzzbawl
status_id	Open	2004-01-07 22:39	fuzzbawl
resolution_id	None	2004-01-07 22:39	fuzzbawl
close_date	-	2004-01-07 22:39	fuzzbawl
File Added	72613: edit.cgi	2004-01-07 22:39	fuzzbawl
assigned_to	nobody	2004-01-03 01:46	fuzzbawl
priority	5	2004-01-02 19:40	flashsecurity

DansGuardian Webmin Module

Tracker: Bugs

Comments ( 2 )

Attached File ( 1 )

Changes ( 7 )

About SourceForge

Find Software

Develop Software

Community

Help