As pointed out in
http://www.osreviews.net/reviews/admin/usermin it is
possible to disable the login shell of the root account
by calling save.cgi with an empty value for the shell.
The problem is that the command is expanded to `chsh -s
foo`, which changes the shell of the root account to
foo instead of changing foo's shell.
When combined with some well-known social engineering
tactics (cf. "Stealing Superuser" in Practical UNIX &
Internet Security) it might even be possible to obtain
root access to the system.
Logged In: YES
user_id=129364
Thanks for pointing this out - I will fix it in the next
release of Usermin.
Logged In: NO
AFAICS this has not been fixed yet. Any possibility that
this will be addressed in the future?
Logged In: YES
user_id=129364
This is definately fixed in Usermin 1.220.
In the file chfn/save.cgi, there is a check on line 19 for
an empty shell.