webadmin-devel

[webmin-devel] recent vulnerabilities in webmin/usermin

[Jaldhar H. V. <ja...@de...>]

Jamie,

Can you comment on the recent security flaws discovered in usermin and
webmin, the ones that were fixed for 1.080 and 1.150?  What exactly are
the issues?  The Japanese group SAN put out advisories but they're rather
low on detail.  Am I right that there are no known exploits at this time?

Also could you provide a diff of the security changes only vis-a-vis
1.070/1.140?  The Debian security team would like to take a look.  Thanks
in advance.

-- 
Jaldhar H. Vyas <ja...@de...>
La Salle Debain - http://www.braincells.com/debian/

Re: [webmin-devel] recent vulnerabilities in webmin/usermin

[Jamie C. <jca...@we...>]

There were three issues, none of which were too serious :

1) A logged-in Webmin user could view (but not change) the configuration of any module, even those that he wasn't granted access to. This can be fixed by inserting the following lines at line on config.cgi 9 :

&read_acl(\%acl);
$acl{$base_remote_user,$m} || &error($text{'config_eaccess'});

2) By attempting to login with a username containing a space, an attacker could lock out valid Webmin users. This is really just a denial-of-service attack, not a remote access vulnerability. It was fixed by changing line 1056 of miniserv.pl from :

if ($authuser =~ /\r|\n/) {
to
if ($authuser =~ /\r|\n|\s/) {

3) When reading an HTML attachment in Usermin's Read Mail module, malicious links or image references in the HTML could be used to trigger the exection of commands in Usermin. For example, a link like :

<a href=../proc/run.cgi?cmd=rm+*>click me</a>

The patch for this one is a bit too complex to include in this email - I would recommend upgrading the entire Read Mail module instead.

 - Jamie

"Jaldhar H. Vyas" <ja...@de...> wrote ..
> Jamie,
> 
> Can you comment on the recent security flaws discovered in usermin and
> webmin, the ones that were fixed for 1.080 and 1.150?  What exactly are
> the issues?  The Japanese group SAN put out advisories but they're rather
> low on detail.  Am I right that there are no known exploits at this time?
> 
> Also could you provide a diff of the security changes only vis-a-vis
> 1.070/1.140?  The Debian security team would like to take a look.  Thanks
> in advance.
> 
> -- 
> Jaldhar H. Vyas <ja...@de...>
> La Salle Debain - http://www.braincells.com/debian/
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by the new InstallShield X.
> >From Windows to Linux, servers to mobile, InstallShield X is the
> one installation-authoring solution that does it all. Learn more and
> evaluate today! http://www.installshield.com/Dev2Dev/0504
> -
> Forwarded by the Webmin development list at web...@we...
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-devel

[webmin-devel] foreign require virtualservers

[<be...@ge...>]

I'm trying to foreign require virtual servers like this:
&foreign_require("virtual-server", "virtual-server-lib.pl");
whenever I do so the page locks up and doesn't display.  Am I doing
something wrong?
-ben

[webmin-devel] Bug? in Virtualmin or Apache Module

[John H. <web...@ew...>]

Well, there is a fix for it...

If you edit httpd.conf by hand and do not do a carrage return after the 
closing </VirtualHost> tag, Virtualmin... hmmmm.... or would the be the 
Apache module? Likely the Apache module, will continue on the same line 
opening the next <VirtualHost> tag. Apache 2.0 won't restart and Webmin 
complains about a missing '>' on line number XXXX.

It would be better protected if a 'CR' was issued before the next entry, 
just in case some hand edits have been done. Also, it does divide the 
virtual servers a bit better.

Bug?? Not really.. a potential gotcha? Definitely.

Best,
John Hinton

Re: [webmin-devel] Bug? in Virtualmin or Apache Module

[Jamie C. <jca...@we...>]

Thanks for pointing this one out - it is a bug in Virtualmin, exactly as you described, which will be fixed in the next version.

 - Jamie

John Hinton <web...@ew...> wrote ..
> Well, there is a fix for it...
> 
> If you edit httpd.conf by hand and do not do a carrage return after the
> closing </VirtualHost> tag, Virtualmin... hmmmm.... or would the be the
> Apache module? Likely the Apache module, will continue on the same line
> opening the next <VirtualHost> tag. Apache 2.0 won't restart and Webmin
> complains about a missing '>' on line number XXXX.
> 
> It would be better protected if a 'CR' was issued before the next entry,
> just in case some hand edits have been done. Also, it does divide the 
> virtual servers a bit better.
> 
> Bug?? Not really.. a potential gotcha? Definitely.
> 
> Best,
> John Hinton
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
> Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
> Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
> REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
> -
> Forwarded by the Webmin development list at web...@we...
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-devel