Vulnerability
webmin
Affected
webmin 0.84
Description
J. Nick Koston found following. Webmin doesn't seem to clean the
env properly when starting apache (probably in other cases as
well).
It leaves the var HTTP_AUTHORIZATION set. All you need to do is
run it though a mime 64 decode and you have the login and password
to webmin (it also leaves SERVER_PORT set so there should be no
problem figuring out where the webmin is).
You can best see the effects by:
1. Kill Apache
2. Start Apache will webmin
3. Goto a <?php phpinfo() ?> page and look at the vars
Snip from phpinfo (some vars removed to protect the innocent):
PHP
Variables
Variable Value
PHP_SELF /test.php
HTTP_SERVER_VARS /usr/local/apache/htdocs
["DOCUMENT_ROOT"]
HTTP_SERVER_VARS text/*, image/*, audio/*, application/*
["HTTP_ACCEPT"]
HTTP_SERVER_VARS gzip, compress, bzip, bzip2, deflate
["HTTP_ACCEPT_ENCODING"]
HTTP_SERVER_VARS en; q=1.0
["HTTP_ACCEPT_LANGUAGE"]
HTTP_SERVER_VARS localhost
["HTTP_HOST"]
HTTP_SERVER_VARS w3m/0.2.1
["HTTP_USER_AGENT"]
HTTP_SERVER_VARS["PATH"]
/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
HTTP_SERVER_VARS 127.0.0.1
["REMOTE_ADDR"]
HTTP_SERVER_VARS 56523
["REMOTE_PORT"]
HTTP_SERVER_VARS /usr/local/apache/htdocs/test.php
["SCRIPT_FILENAME"]
HTTP_SERVER_VARS 127.0.0.1
["SERVER_ADDR"]
HTTP_SERVER_VARS 80
["SERVER_PORT"]
HTTP_SERVER_VARS Apache/1.3.17 (Unix) PHP/4.0.4pl1
["SERVER_SOFTWARE"]
HTTP_SERVER_VARS CGI/1.1
["GATEWAY_INTERFACE"]
HTTP_SERVER_VARS HTTP/1.0
["SERVER_PROTOCOL"]
HTTP_SERVER_VARS GET
["REQUEST_METHOD"]
HTTP_SERVER_VARS
["QUERY_STRING"]
HTTP_SERVER_VARS /test.php
["REQUEST_URI"]
HTTP_SERVER_VARS /usr/local/apache/htdocs/test.php
["PATH_TRANSLATED"]
HTTP_SERVER_VARS /test.php
["PHP_SELF"]
HTTP_SERVER_VARS["argv"] Array
(
)
HTTP_SERVER_VARS["argc"] 0
HTTP_ENV_VARS 10000
["SERVER_PORT"]
HTTP_ENV_VARS CGI/1.1
["GATEWAY_INTERFACE"]
HTTP_ENV_VARS["PWD"] /root/webmin-0.84/apache/
HTTP_ENV_VARS Mozilla/5.0 (X11; U; Linux 2.4.2 i686;
en-US;
["HTTP_USER_AGENT"] rv:0.9) Gecko/20010505
HTTP_ENV_VARS["PATH_INFO"]
HTTP_ENV_VARS http://localhost:10000/apache/
["HTTP_REFERER"]
HTTP_ENV_VARS["HTTP_HOST"] localhost:10000
HTTP_ENV_VARS Basic YWRtaW46ZGF2ZQ==
["HTTP_AUTHORIZATION"]
HTTP_ENV_VARS keep-alive
["HTTP_CONNECTION"]
HTTP_ENV_VARS["WEBMIN_VAR"] /var/webmin
HTTP_ENV_VARS gzip,deflate,compress,identity
["HTTP_ACCEPT_ENCODING"]
HTTP_ENV_VARS /root/webmin-0.84
["SERVER_ROOT"]
....
This is also a problem with newer versions. While it now uses a
Cookie to save authorization information, this cookie is passed
to apache as environment variable and could be queried,
environment variable is:
HTTP_COOKIE=sid=1054633991
If you have this session id, you can attach to a running webmin
session easily (for instance if the administrator forgot to logoff
and just quitted his browser or has it still open).
Solution
For Caldera:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS/webmin-0.749-7.i386.rpm
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS/webmin-0.749-7.src.rpm
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS/webmin-0.78-11.i386.rpm
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS/webmin-0.78-11.src.rpm
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
