I'm using webmin 2.121 with the last devel version of
your module...
If I use the URL:
https://mywebminserver:10000/dansguardian/edit.cgi?file=[FILE]
I can edit any file of my system, like:
https://mywebminserver:10000/dansguardian/edit.cgi?file=/etc/shadow
Is there a way to avoid this and jail my dansguardian
webmin module in /etc/dansguardian ?
Thank you very much and congradulations for your work!
Sorry if this was noticed before...
Logged In: YES
user_id=49552
That is definately not good. I will modify edit.cgi and
verify that all other files are locked to their appropriate
directories. I will release a new version hopefully within a
week.
Logged In: YES
user_id=49552
Fixed in CVS. Fixed file is also attached. Version 0.5.9
will be released later this week with fix included. Thanks
for finding this!