[23540] in bugtraq
Re: webmin 0.91 ../.. problem
daemon@ATHENA.MIT.EDU (KF)
Mon Dec 17 22:22:57 2001
Message-ID: <3C1E7F09.3F4DE056@snosoft.com>
Date: Mon, 17 Dec 2001 18:26:01 -0500
From: KF <dotslash@snosoft.com>
MIME-Version: 1.0
To: "A. Ramos" <aramos@aramos-test.prisacom.int>, bugtraq@security-focus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
On 0.85 I was simply prompted for the user and password... I have one
question were you already
logged into webmin prior to typing this url? I want to know if it first
requires authentication to
access the cgi scripts... I suspect it does and that your credentials
were cached?
-KF
"A. Ramos" wrote:
>
> Hello,
>
> I find bug on webmin 0.91.
>
> From web:
>
> <snip>
> What is Webmin?
> Webmin is a web-based interface for system administration for Unix. Using any browser that supports tables and forms (and Java for the File Manager module), you can setup user accounts, Apache, DNS, file sharing and so on.
> Webmin consists of a simple web server, and a number of CGI programs which directly update system files like /etc/inetd.conf and /etc/passwd. The web server and all CGI programs are written in Perl version 5, and use no non-standard Perl modules.
> </snip>
>
> With this software you can start and stop services with simple user, and edit init scripts.
> like this: http://www.domain.com:10000/servers/link.cgi/1008341480/init/edit_action.cgi?0+makedev
> but you can use this:
> http://www.domain.com:10000/servers/link.cgi/1008341480/init/edit_action.cgi?0+../../../../../etc/shadow
>
> The problem reside on init/edit_action.cgi:
> <snip>
> open(FILE, $file);
> while(<FILE>) {
> $data .= $_;
> if (/^\s*(['"]?)([a-z]+)\1\)/i) {
> $hasarg{$2}++;
> }
> }
> close(FILE);
> </snip>
> To fix, use your favorite regexp.
>
> Yes, you can save file on server...
>
> --
> Prisacom
> A. Ramos mailto:aramos@prisacom.com
> Dpto. Admin. Sistemas
> --
