In webmin 0.87 (and earlier no doubt) on my Mandrake
7.2 box (all operating systems probably), under
'Networking', 'Network Utilities'
there is a 'handy ping, traceroute, nmap etc.' window.
The hostname input is validated by the standard 'bad
character' check, which complains (in large red text)
if I enter a ';', but the text is passed to shell
anyway.
I entered 'localhost;ls' as the hostname and clicked
'Ping', here's the output...
-------------------------------------
[ Network Utilities 0.80.1 ]
Running the ping
Host name localhost;ls contains bad characters. Please
correct and try again.
ping -c 5 -s 56 localhost;ls 2>&1
PING localhost (127.0.0.1): 56 octets data
64 octets from 127.0.0.1: icmp_seq=0 ttl=255 time=0.1
ms
64 octets from 127.0.0.1: icmp_seq=1 ttl=255 time=0.1
ms
64 octets from 127.0.0.1: icmp_seq=2 ttl=255 time=0.1
ms
64 octets from 127.0.0.1: icmp_seq=3 ttl=255 time=0.1
ms
64 octets from 127.0.0.1: icmp_seq=4 ttl=255 time=0.1
ms
--- localhost ping statistics ---
5 packets transmitted, 5 packets received, 0% packet
loss
round-trip min/avg/max = 0.1/0.1/0.1 ms
CHANGES
COPYING
acl_security.pl
config
config.info
defaultacl
dig.cgi
help
images
index.cgi
ipsc-lib.pl
ipsc.cgi
lang
lookup.cgi
module.info
nettools-lib.pl
nmap.cgi
ping.cgi
traceroute.cgi
whois.cgi
---------------
Not so good.
I assume a simple logic error allowed the command to
run despite the check failing. I hope its not a
cut-and-paster to other places in the code - I haven't
looked....
This is a big issue if you allow webmin access to users
who shouldn't have shell access (its not an issue if
you've given them telnet,ssh or 'command' access in
webmin). Samples include operators and help desk type
users who typically have a restricted set of functions
made available...
Cris
Logged In: YES
user_id=129364
I have forwarded this bug to the developer of the module,
which is not a core part of webmin ..
Logged In: YES
user_id=55951
The answer is the output. it is version 0.80.1 but current
is 0.88.1 (and soon another one, which I'm working on). This
bug has been fixed years ago (truely years!) so please
upgrade and report the owner of the page you found an
outdated link on that they should update their webpage.
Nettools was the first third party module and a lot of old
links are floating around...