webadmin-list

[webmin-l] phpinfo() problem

[Hamid H. <ha...@mo...>]

Hi ,

I am using Webmin and Virtualmin for fedora core 4 and installed apache 
2.0.54 and php 5.0.4.
When I was surfing the hosts and tried one of the hosts info.php which 
contains phpinfo() function to see if everythings working fine that host 
on virtualmin or not and saw something interesting in PHP Variables 
section of phpinfo() !!
I saw some $_ENV variables which contains some information about the 
webmin and virtualmin even some passwords of virtualmin !!!!
here is some example about these variables :

_ENV["DOCUMENT_REALROOT"] 	/usr/libexec/webmin
_ENV["VIRTUALSERVER_MAILBOXLIMIT"] 	20
_ENV["VIRTUALSERVER_LOGROTATE"] 	1
_ENV["VIRTUALSERVER_PREFIX"] 	xxxxxxxxx ( I changed this !)
_ENV["VIRTUALSERVER_IP"] 	xx.xx.xx.xx ( this too ! )
_ENV["QUOTA_SBLOCKS"] 	10240
_ENV["HTTP_CONTENT_LENGTH"] 	436
_ENV["VIRTUALSERVER_LIMIT_WEB"] 	1
_ENV["QUOTA_FILESYS"] 	/home
_ENV["VIRTUALSERVER_GID"] 	538
_ENV["MINISERV_CONFIG"] 	/etc/webmin/miniserv.conf
_ENV["VIRTUALSERVER_POSTGRES"] 	/no value/
_ENV["VIRTUALSERVER_MAIL"] 	1
_ENV["QUOTA_HFILES"] 	0


and a lot of other variables which is really secure ! I don't know from 
where phpinfo() found these but I need to solve this problem ASAP ! Also 
I checked the same issue on another server and the same result happened 
! any idea ?

-- 
Regards
    =================================================================
   /  Seyyed Hamid Reza    /        WINDOWS FOR NOW  !!            /
  /  Hashemi Golpayegani  /  Linux for future , FreeBSD for ever  /
 /    Morva System Co.   / ------------------------------------- /
/  Network Administrator/ ha...@mo...   ,   ICQ# : 42209876 /
================================================================ 

Re: [webmin-l] phpinfo() problem

[Hamid H. <ha...@mo...>]

Please check this link :
http://noc.postnuke.com/tracker/index.php?func=detail&aid=1309&group_id=5&atid=101

it seems that this problem happened cause of restarting httpd from the 
webmin HTTPS session. any idea how to solve the problem permanently ?!

Hamid Hashemi wrote:

> Hi ,
>
> I am using Webmin and Virtualmin for fedora core 4 and installed 
> apache 2.0.54 and php 5.0.4.
> When I was surfing the hosts and tried one of the hosts info.php which 
> contains phpinfo() function to see if everythings working fine that 
> host on virtualmin or not and saw something interesting in PHP 
> Variables section of phpinfo() !!
> I saw some $_ENV variables which contains some information about the 
> webmin and virtualmin even some passwords of virtualmin !!!!
> here is some example about these variables :
>
> _ENV["DOCUMENT_REALROOT"] 	/usr/libexec/webmin
> _ENV["VIRTUALSERVER_MAILBOXLIMIT"] 	20
> _ENV["VIRTUALSERVER_LOGROTATE"] 	1
> _ENV["VIRTUALSERVER_PREFIX"] 	xxxxxxxxx ( I changed this !)
> _ENV["VIRTUALSERVER_IP"] 	xx.xx.xx.xx ( this too ! )
> _ENV["QUOTA_SBLOCKS"] 	10240
> _ENV["HTTP_CONTENT_LENGTH"] 	436
> _ENV["VIRTUALSERVER_LIMIT_WEB"] 	1
> _ENV["QUOTA_FILESYS"] 	/home
> _ENV["VIRTUALSERVER_GID"] 	538
> _ENV["MINISERV_CONFIG"] 	/etc/webmin/miniserv.conf
> _ENV["VIRTUALSERVER_POSTGRES"] 	/no value/
> _ENV["VIRTUALSERVER_MAIL"] 	1
> _ENV["QUOTA_HFILES"] 	0
>
>
> and a lot of other variables which is really secure ! I don't know 
> from where phpinfo() found these but I need to solve this problem ASAP 
> ! Also I checked the same issue on another server and the same result 
> happened ! any idea ?
>
>-- 
>Regards
>    =================================================================
>   /  Seyyed Hamid Reza    /        WINDOWS FOR NOW  !!            /
>  /  Hashemi Golpayegani  /  Linux for future , FreeBSD for ever  /
> /    Morva System Co.   / ------------------------------------- /
>/  Network Administrator/ ha...@mo...   ,   ICQ# : 42209876 /
>================================================================ 
>

Re: [webmin-l] phpinfo() problem

[Jamie C. <jca...@we...>]

On 9/Jan/2006 08:34 Hamid Hashemi wrote ..
> Hi ,
> 
> I am using Webmin and Virtualmin for fedora core 4 and installed apache
> 2.0.54 and php 5.0.4.
> When I was surfing the hosts and tried one of the hosts info.php which
> contains phpinfo() function to see if everythings working fine that host
> on virtualmin or not and saw something interesting in PHP Variables 
> section of phpinfo() !!
> I saw some $_ENV variables which contains some information about the 
> webmin and virtualmin even some passwords of virtualmin !!!!
> here is some example about these variables :
> 
> _ENV["DOCUMENT_REALROOT"] 	/usr/libexec/webmin
> _ENV["VIRTUALSERVER_MAILBOXLIMIT"] 	20
> _ENV["VIRTUALSERVER_LOGROTATE"] 	1
> _ENV["VIRTUALSERVER_PREFIX"] 	xxxxxxxxx ( I changed this !)
> _ENV["VIRTUALSERVER_IP"] 	xx.xx.xx.xx ( this too ! )
> _ENV["QUOTA_SBLOCKS"] 	10240
> _ENV["HTTP_CONTENT_LENGTH"] 	436
> _ENV["VIRTUALSERVER_LIMIT_WEB"] 	1
> _ENV["QUOTA_FILESYS"] 	/home
> _ENV["VIRTUALSERVER_GID"] 	538
> _ENV["MINISERV_CONFIG"] 	/etc/webmin/miniserv.conf
> _ENV["VIRTUALSERVER_POSTGRES"] 	/no value/
> _ENV["VIRTUALSERVER_MAIL"] 	1
> _ENV["QUOTA_HFILES"] 	0
> 
> 
> and a lot of other variables which is really secure ! I don't know from
> where phpinfo() found these but I need to solve this problem ASAP ! Also
> I checked the same issue on another server and the same result happened
> ! any idea ?

This is a bug in Webmin - in some cases, environment variables are being passed
through to the Apache process. It will be fixed in the next release, but in the short
term you can resolve it by finding the clean_environment function in web-lib-funcs.pl
and replacing it with :

# clean_environment()
# Deletes any environment variables inherited from miniserv so that they
# won't be passed to programs started by webmin.
sub clean_environment
{
local ($k, $e);
%UNCLEAN_ENV = %ENV;
foreach $k (keys %ENV) {
        if ($k =~ /^(HTTP|VIRTUALSERVER|QUOTA|USERADMIN)_/) {
                delete($ENV{$k});
                }
        }
foreach $e ('WEBMIN_CONFIG', 'SERVER_NAME', 'CONTENT_TYPE', 'REQUEST_URI',
            'PATH_INFO', 'WEBMIN_VAR', 'REQUEST_METHOD', 'GATEWAY_INTERFACE',
            'QUERY_STRING', 'REMOTE_USER', 'SERVER_SOFTWARE', 'SERVER_PROTOCOL',
            'REMOTE_HOST', 'SERVER_PORT', 'DOCUMENT_ROOT', 'SERVER_ROOT',
            'MINISERV_CONFIG', 'SCRIPT_NAME', 'SERVER_ADMIN', 'CONTENT_LENGTH',
            'HTTPS', 'FOREIGN_MODULE_NAME', 'FOREIGN_ROOT_DIRECTORY',
            'SCRIPT_FILENAME', 'PATH_TRANSLATED', 'BASE_REMOTE_USER',
            'DOCUMENT_REALROOT', 'MINISERV_CONFIG') {
        delete($ENV{$e});
        }
}

 - Jamie

Re: [webmin-l] phpinfo() problem

[Hamid H. <ha...@mo...>]

Jamie,

I beleive that in some cases this problem happened again also after 
Webmin version 1.260 . before this version if you restart the apache 
from the webmin the variables passed to the new httpd but in this 
version this only happen if you make a new virtual host in your 
virutalmin . but if you restart the httpd from the webmin itself the 
variables gone ! can you please check into it to see if this problem 
already exist or this is only my problem ?!

Jamie Cameron wrote:
> On 9/Jan/2006 08:34 Hamid Hashemi wrote ..
>   
>> Hi ,
>>
>> I am using Webmin and Virtualmin for fedora core 4 and installed apache
>> 2.0.54 and php 5.0.4.
>> When I was surfing the hosts and tried one of the hosts info.php which
>> contains phpinfo() function to see if everythings working fine that host
>> on virtualmin or not and saw something interesting in PHP Variables 
>> section of phpinfo() !!
>> I saw some $_ENV variables which contains some information about the 
>> webmin and virtualmin even some passwords of virtualmin !!!!
>> here is some example about these variables :
>>
>> _ENV["DOCUMENT_REALROOT"] 	/usr/libexec/webmin
>> _ENV["VIRTUALSERVER_MAILBOXLIMIT"] 	20
>> _ENV["VIRTUALSERVER_LOGROTATE"] 	1
>> _ENV["VIRTUALSERVER_PREFIX"] 	xxxxxxxxx ( I changed this !)
>> _ENV["VIRTUALSERVER_IP"] 	xx.xx.xx.xx ( this too ! )
>> _ENV["QUOTA_SBLOCKS"] 	10240
>> _ENV["HTTP_CONTENT_LENGTH"] 	436
>> _ENV["VIRTUALSERVER_LIMIT_WEB"] 	1
>> _ENV["QUOTA_FILESYS"] 	/home
>> _ENV["VIRTUALSERVER_GID"] 	538
>> _ENV["MINISERV_CONFIG"] 	/etc/webmin/miniserv.conf
>> _ENV["VIRTUALSERVER_POSTGRES"] 	/no value/
>> _ENV["VIRTUALSERVER_MAIL"] 	1
>> _ENV["QUOTA_HFILES"] 	0
>>
>>
>> and a lot of other variables which is really secure ! I don't know from
>> where phpinfo() found these but I need to solve this problem ASAP ! Also
>> I checked the same issue on another server and the same result happened
>> ! any idea ?
>>     
>
> This is a bug in Webmin - in some cases, environment variables are being passed
> through to the Apache process. It will be fixed in the next release, but in the short
> term you can resolve it by finding the clean_environment function in web-lib-funcs.pl
> and replacing it with :
>
> # clean_environment()
> # Deletes any environment variables inherited from miniserv so that they
> # won't be passed to programs started by webmin.
> sub clean_environment
> {
> local ($k, $e);
> %UNCLEAN_ENV = %ENV;
> foreach $k (keys %ENV) {
>         if ($k =~ /^(HTTP|VIRTUALSERVER|QUOTA|USERADMIN)_/) {
>                 delete($ENV{$k});
>                 }
>         }
> foreach $e ('WEBMIN_CONFIG', 'SERVER_NAME', 'CONTENT_TYPE', 'REQUEST_URI',
>             'PATH_INFO', 'WEBMIN_VAR', 'REQUEST_METHOD', 'GATEWAY_INTERFACE',
>             'QUERY_STRING', 'REMOTE_USER', 'SERVER_SOFTWARE', 'SERVER_PROTOCOL',
>             'REMOTE_HOST', 'SERVER_PORT', 'DOCUMENT_ROOT', 'SERVER_ROOT',
>             'MINISERV_CONFIG', 'SCRIPT_NAME', 'SERVER_ADMIN', 'CONTENT_LENGTH',
>             'HTTPS', 'FOREIGN_MODULE_NAME', 'FOREIGN_ROOT_DIRECTORY',
>             'SCRIPT_FILENAME', 'PATH_TRANSLATED', 'BASE_REMOTE_USER',
>             'DOCUMENT_REALROOT', 'MINISERV_CONFIG') {
>         delete($ENV{$e});
>         }
> }
>
>  - Jamie
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> -
> Forwarded by the Webmin mailing list at web...@li...
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list
>
>   

-- 
Regards
    =================================================================
   /  Seyyed Hamid Reza    /        WINDOWS FOR NOW  !!            /
  /  Hashemi Golpayegani  /  Linux for future , FreeBSD for ever  /
 /    Morva System Co.   / ------------------------------------- /
/  Network Administrator/ ha...@mo...   ,   ICQ# : 42209876 /
================================================================ 

Re: [webmin-l] phpinfo() problem

[Jamie C. <jca...@we...>]

Hi Hamid,

You are correct, I overlooked the case where Webmin or Virtualmin restarts
Apache ... this will be fixed in the next release.

 - Jamie

On 3/Feb/2006 01:10 Hamid Hashemi wrote ..
> Jamie,
> 
> I beleive that in some cases this problem happened again also after 
> Webmin version 1.260 . before this version if you restart the apache 
> from the webmin the variables passed to the new httpd but in this 
> version this only happen if you make a new virtual host in your 
> virutalmin . but if you restart the httpd from the webmin itself the 
> variables gone ! can you please check into it to see if this problem 
> already exist or this is only my problem ?!
> 
> Jamie Cameron wrote:
> > On 9/Jan/2006 08:34 Hamid Hashemi wrote ..
> >   
> >> Hi ,
> >>
> >> I am using Webmin and Virtualmin for fedora core 4 and installed apache
> >> 2.0.54 and php 5.0.4.
> >> When I was surfing the hosts and tried one of the hosts info.php which
> >> contains phpinfo() function to see if everythings working fine that
> host
> >> on virtualmin or not and saw something interesting in PHP Variables
> >> section of phpinfo() !!
> >> I saw some $_ENV variables which contains some information about the
> >> webmin and virtualmin even some passwords of virtualmin !!!!
> >> here is some example about these variables :
> >>
> >> _ENV["DOCUMENT_REALROOT"] 	/usr/libexec/webmin
> >> _ENV["VIRTUALSERVER_MAILBOXLIMIT"] 	20
> >> _ENV["VIRTUALSERVER_LOGROTATE"] 	1
> >> _ENV["VIRTUALSERVER_PREFIX"] 	xxxxxxxxx ( I changed this !)
> >> _ENV["VIRTUALSERVER_IP"] 	xx.xx.xx.xx ( this too ! )
> >> _ENV["QUOTA_SBLOCKS"] 	10240
> >> _ENV["HTTP_CONTENT_LENGTH"] 	436
> >> _ENV["VIRTUALSERVER_LIMIT_WEB"] 	1
> >> _ENV["QUOTA_FILESYS"] 	/home
> >> _ENV["VIRTUALSERVER_GID"] 	538
> >> _ENV["MINISERV_CONFIG"] 	/etc/webmin/miniserv.conf
> >> _ENV["VIRTUALSERVER_POSTGRES"] 	/no value/
> >> _ENV["VIRTUALSERVER_MAIL"] 	1
> >> _ENV["QUOTA_HFILES"] 	0
> >>
> >>
> >> and a lot of other variables which is really secure ! I don't know from
> >> where phpinfo() found these but I need to solve this problem ASAP !
> Also
> >> I checked the same issue on another server and the same result happened
> >> ! any idea ?
> >>     
> >
> > This is a bug in Webmin - in some cases, environment variables are being
> passed
> > through to the Apache process. It will be fixed in the next release,
> but in the short
> > term you can resolve it by finding the clean_environment function in
> web-lib-funcs.pl
> > and replacing it with :
> >
> > # clean_environment()
> > # Deletes any environment variables inherited from miniserv so that they
> > # won't be passed to programs started by webmin.
> > sub clean_environment
> > {
> > local ($k, $e);
> > %UNCLEAN_ENV = %ENV;
> > foreach $k (keys %ENV) {
> >         if ($k =~ /^(HTTP|VIRTUALSERVER|QUOTA|USERADMIN)_/) {
> >                 delete($ENV{$k});
> >                 }
> >         }
> > foreach $e ('WEBMIN_CONFIG', 'SERVER_NAME', 'CONTENT_TYPE', 'REQUEST_URI',
> >             'PATH_INFO', 'WEBMIN_VAR', 'REQUEST_METHOD', 'GATEWAY_INTERFACE',
> >             'QUERY_STRING', 'REMOTE_USER', 'SERVER_SOFTWARE', 'SERVER_PROTOCOL',
> >             'REMOTE_HOST', 'SERVER_PORT', 'DOCUMENT_ROOT', 'SERVER_ROOT',
> >             'MINISERV_CONFIG', 'SCRIPT_NAME', 'SERVER_ADMIN', 'CONTENT_LENGTH',
> >             'HTTPS', 'FOREIGN_MODULE_NAME', 'FOREIGN_ROOT_DIRECTORY',
> >             'SCRIPT_FILENAME', 'PATH_TRANSLATED', 'BASE_REMOTE_USER',
> >             'DOCUMENT_REALROOT', 'MINISERV_CONFIG') {
> >         delete($ENV{$e});
> >         }
> > }
> >
> >  - Jamie
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> > for problems?  Stop!  Download the new AJAX search engine that makes
> > searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> > -
> > Forwarded by the Webmin mailing list at web...@li...
> > To remove yourself from this list, go to
> > http://lists.sourceforge.net/lists/listinfo/webadmin-list
> >
> >   
> 
> -- 
> Regards
>     =================================================================
>    /  Seyyed Hamid Reza    /        WINDOWS FOR NOW  !!            /
>   /  Hashemi Golpayegani  /  Linux for future , FreeBSD for ever  /
>  /    Morva System Co.   / ------------------------------------- /
> /  Network Administrator/ ha...@mo...   ,   ICQ# : 42209876 /
> ================================================================ 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> -
> Forwarded by the Webmin mailing list at web...@li...
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list