Menu
▾
▴
Re: Webmin Doesn't Clean Env (root exploit) (fwd)
|
From: Jamie C. <jca...@we...> - 2001-05-29 02:36:03
|
"Ryan W. Maple" wrote: > > > Not really - it doensn't happen in session authentication mode, which > > is the default in webmin 0.85. However, if you are still using the old > > traditional HTTP authentication then it will be a problem .. > > Actually, it _does_ happen in session auth (which is what the WebTool > uses). The "HTTP_COOKIE" env. var has "sid=xxxxxxxxx" in it. This is a > step in the right direction of the hijacking of a connection. Damn, you are right :( > > Version 0.86 will be out really soon which will fix this properly > > in both modes. > > Thanks. I'll keep my eyes open and we can compare ways to fix it. I'm > probably going to have to issue an advisory to close this issue, so if you > want I'll send you a patch so you can see how I end up doing it... I've put an updated miniserv.pl on http://www.webmin.com/webmin/updates.html for people to download .. - Jamie |
