#4129 xmlrpc.cgi does wrong user check in command line block

Danny Sauer

The xmlrpc.cgi script has two errors.
One is that it uses $< rather than $> to determine the user. It doesn't make much difference who the real users is; if the effective UID is root (say, in the case of a suid root script), it should probably go ahead and run.
The other related (and minor) issue is that the error messages references xmlrpc.pl, when the script has actually been renamed to xmlrpc.cgi. But as long as you're on that line... :)

For the record, I found this trying to diagnose why I can't seem to make RPC calls against a custom module which uses DBI in my "running Webmin under Apache" environment, so it's unlikely to impact the typical user. But it seems worth reporting none the less.


  • Jamie Cameron

    Jamie Cameron - 2012-08-14

    Thanks - I'll fix this in the next Webmin release.

  • Jamie Cameron

    Jamie Cameron - 2012-08-14
    • status: open --> closed-fixed

Log in to post a comment.