[23561] in bugtraq
Re: webmin 0.91 ../.. problem
daemon@ATHENA.MIT.EDU (Mark van Reijn)
Wed Dec 19 16:10:57 2001
Date: Wed, 19 Dec 2001 12:19:12 +0100
Message-Id: <200112191119.MAA15481@obelix.edup.tudelft.nl>
To: bugtraq@security-focus.com
From: Mark van Reijn <mark@edup.tudelft.nl>
Hello all,
Had to doublecheck this, being a rabid webmin promoter.
No, you cannot access the URL without first logging in. So far so good.
Second, within webmin it is possible to restrict users, and this bug is still
restricted by the webmin ACL system.
I was NOT able to read the shadow file without having access to the
module "Bootup and Shutdown".
With this module you can control the complete init process, reboot, halt etc
etc so it will probably be only accessible by trusted users...
Greetz,
Mark
KF <dotslash@snosoft.com> said:
> On 0.85 I was simply prompted for the user and password... I have one
> question were you already
> logged into webmin prior to typing this url? I want to know if it first
> requires authentication to
> access the cgi scripts... I suspect it does and that your credentials
> were cached?
> -KF
>
> "A. Ramos" wrote:
> >
> > Hello,
> >
> > I find bug on webmin 0.91.
<SNIP>
> >
http://www.domain.com:10000/servers/link.cgi/1008341480/init/edit_action.cgi?
0+../../../../../etc/shadow
> >
> > The problem reside on init/edit_action.cgi:
> > <snip>
> > open(FILE, $file);
> > while(<FILE>) {
> > $data .= $_;
> > if (/^\s*(['"]?)([a-z]+)\1\)/i) {
> > $hasarg{$2}++;
> > }
> > }
> > close(FILE);
