[20799] in bugtraq
Re: Webmin Doesn't Clean Env (root exploit)
daemon@ATHENA.MIT.EDU (Marcus Meissner)
Tue May 29 11:29:46 2001
Date: Tue, 29 May 2001 16:14:06 +0200
From: Marcus Meissner <Marcus.Meissner@caldera.de>
To: "J. Nick Koston" <nick@burst.net>
Cc: bugtraq@securityfocus.com
Message-ID: <20010529161406.A25789@caldera.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010526165535.B2704@burst.net>; from nick@burst.net on Sat, May 26, 2001 at 04:55:35PM -0400
On Sat, May 26, 2001 at 04:55:35PM -0400, J. Nick Koston wrote:
> Not sure if this is known, however I know I've seen quite a few people
> still using webmin 0.84.
>
> Webmin doesn't seem to clean the env properly when starting apache
> (probably in other cases as well)
>
> It leaves the var HTTP_AUTHORIZATION set. All you need to do is run
> it though a mime 64 decode and you have the login and password to
> webmin. (it also leaves SERVER_PORT set so there should be no problem
> figuring out where the webmin is)
This is also a problem with newer versions.
While it now uses a Cookie to save authorization information, this cookie
is passed to apache as environment variable and could be queried, environment
variable is:
HTTP_COOKIE=sid=1054633991
If you have this session id, you can attach to a running webmin session
easily (for instance if the administrator forgot to logoff and just quitted
his browser or has it still open).
Ciao, Marcus
--
_____ ___
/ __/____/ / Caldera (Deutschland) GmbH
/ /_/ __ / /__ Naegelsbachstr. 49c, 91052 Erlangen
/_____//_/ /____/ Dipl. Inf. Marcus Meissner, email: mm@caldera.de
==== /_____/ ====== phone: ++49 9131 7912-300, fax: ++49 9131 7192-399
Caldera OpenLinux
