Bugtraq mailing list archives
Re: Webmin Doesn't Clean Env (root exploit)
From: Marcus Meissner <Marcus.Meissner () caldera de>
Date: Tue, 29 May 2001 16:14:06 +0200
On Sat, May 26, 2001 at 04:55:35PM -0400, J. Nick Koston wrote:
Not sure if this is known, however I know I've seen quite a few people still using webmin 0.84. Webmin doesn't seem to clean the env properly when starting apache (probably in other cases as well) It leaves the var HTTP_AUTHORIZATION set. All you need to do is run it though a mime 64 decode and you have the login and password to webmin. (it also leaves SERVER_PORT set so there should be no problem figuring out where the webmin is)
This is also a problem with newer versions. While it now uses a Cookie to save authorization information, this cookie is passed to apache as environment variable and could be queried, environment variable is: HTTP_COOKIE=sid=1054633991 If you have this session id, you can attach to a running webmin session easily (for instance if the administrator forgot to logoff and just quitted his browser or has it still open). Ciao, Marcus -- _____ ___ / __/____/ / Caldera (Deutschland) GmbH / /_/ __ / /__ Naegelsbachstr. 49c, 91052 Erlangen /_____//_/ /____/ Dipl. Inf. Marcus Meissner, email: mm () caldera de ==== /_____/ ====== phone: ++49 9131 7912-300, fax: ++49 9131 7192-399 Caldera OpenLinux
Current thread:
- Webmin Doesn't Clean Env (root exploit) J. Nick Koston (May 28)
- Re: Webmin Doesn't Clean Env (root exploit) Marcus Meissner (May 29)
- Re: Webmin Doesn't Clean Env (root exploit) Eugene Tsyrklevich (May 30)