Re: Webmin Doesn't Clean Env (root exploit) (fwd)

[Joe C. <jo...@sw...>]

Just a thought...Any reason why Webmin can't create a new environment 
for every external process it spawns (like daemons, and such--anything 
out of it's control)?  Seems like some of the stuff that's in there 
shouldn't be (obviously this information fits the bill).

It already has this feature for Custom Commands (if I understand things 
correctly).  I recently looked into doing this for a wget 
module...because some things are harder to set on the command line than 
in the environment, doesn't seem that difficult.  But then I'm no perl monk.

Ryan W. Maple wrote:

>>Not really - it doensn't happen in session authentication mode, which
>>is the default in webmin 0.85. However, if you are still using the old
>>traditional HTTP authentication then it will be a problem ..
>>
> 
> Actually, it _does_ happen in session auth (which is what the WebTool
> uses).  The "HTTP_COOKIE" env. var has "sid=xxxxxxxxx" in it.  This is a
> step in the right direction of the hijacking of a connection.
>  
> 
>>Version 0.86 will be out really soon which will fix this properly
>>in both modes.
>>
> 
> Thanks.  I'll keep my eyes open and we can compare ways to fix it.  I'm
> probably going to have to issue an advisory to close this issue, so if you
> want I'll send you a patch so you can see how I end up doing it...
> 
> 
>>>Jamie, is this fixed in the latest version?  I re-wrote the part of the
>>>code that restarts apache but I am not cleaning the environment either,
>>>making the WebTool succeptable to this bug too.
>>>

                                   --
                      Joe Cooper <jo...@sw...>
                  Affordable Web Caching Proxy Appliances
                         http://www.swelltech.com