Menu
▾
▴
Re: Webmin Doesn't Clean Env (root exploit) (fwd)
|
From: Ryan W. M. <ry...@gu...> - 2001-05-29 01:59:17
|
> Not really - it doensn't happen in session authentication mode, which > is the default in webmin 0.85. However, if you are still using the old > traditional HTTP authentication then it will be a problem .. Actually, it _does_ happen in session auth (which is what the WebTool uses). The "HTTP_COOKIE" env. var has "sid=xxxxxxxxx" in it. This is a step in the right direction of the hijacking of a connection. > Version 0.86 will be out really soon which will fix this properly > in both modes. Thanks. I'll keep my eyes open and we can compare ways to fix it. I'm probably going to have to issue an advisory to close this issue, so if you want I'll send you a patch so you can see how I end up doing it... > > Jamie, is this fixed in the latest version? I re-wrote the part of the > > code that restarts apache but I am not cleaning the environment either, > > making the WebTool succeptable to this bug too. |
