Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Adminware, Control Panels :: webmin~1.htm

webmin 0.84 leaves its login/password in a MIME encoded environment variable



Vulnerability

    webmin

Affected

    webmin 0.84

Description

    J. Nick Koston found following.  Webmin doesn't seem to clean  the
    env  properly  when  starting  apache  (probably in other cases as
    well).

    It leaves the var HTTP_AUTHORIZATION set.   All you need to do  is
    run it though a mime 64 decode and you have the login and password
    to webmin (it  also leaves SERVER_PORT  set so there  should be no
    problem figuring out where the webmin is).

    You can best see the effects by:

        1. Kill Apache
        2. Start Apache will webmin
        3. Goto a <?php phpinfo() ?> page and look at the vars

    Snip from phpinfo (some vars removed to protect the innocent):

                                                                          PHP
        Variables

                 Variable                                Value

        PHP_SELF                    /test.php

        HTTP_SERVER_VARS            /usr/local/apache/htdocs
        ["DOCUMENT_ROOT"]

        HTTP_SERVER_VARS            text/*, image/*, audio/*, application/*
        ["HTTP_ACCEPT"]

        HTTP_SERVER_VARS            gzip, compress, bzip, bzip2, deflate
        ["HTTP_ACCEPT_ENCODING"]

        HTTP_SERVER_VARS            en; q=1.0
        ["HTTP_ACCEPT_LANGUAGE"]

        HTTP_SERVER_VARS            localhost
        ["HTTP_HOST"]

        HTTP_SERVER_VARS            w3m/0.2.1
        ["HTTP_USER_AGENT"]

        HTTP_SERVER_VARS["PATH"]
        /bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin

        HTTP_SERVER_VARS            127.0.0.1
        ["REMOTE_ADDR"]

        HTTP_SERVER_VARS            56523
        ["REMOTE_PORT"]

        HTTP_SERVER_VARS            /usr/local/apache/htdocs/test.php
        ["SCRIPT_FILENAME"]

        HTTP_SERVER_VARS            127.0.0.1
        ["SERVER_ADDR"]

        HTTP_SERVER_VARS            80
        ["SERVER_PORT"]

        HTTP_SERVER_VARS            Apache/1.3.17 (Unix) PHP/4.0.4pl1
        ["SERVER_SOFTWARE"]

        HTTP_SERVER_VARS            CGI/1.1
        ["GATEWAY_INTERFACE"]

        HTTP_SERVER_VARS            HTTP/1.0
        ["SERVER_PROTOCOL"]

        HTTP_SERVER_VARS            GET
        ["REQUEST_METHOD"]

        HTTP_SERVER_VARS
        ["QUERY_STRING"]

        HTTP_SERVER_VARS            /test.php
        ["REQUEST_URI"]

        HTTP_SERVER_VARS            /usr/local/apache/htdocs/test.php
        ["PATH_TRANSLATED"]

        HTTP_SERVER_VARS            /test.php
        ["PHP_SELF"]

        HTTP_SERVER_VARS["argv"]    Array
                                    (
                                    )

        HTTP_SERVER_VARS["argc"]    0

        HTTP_ENV_VARS               10000
        ["SERVER_PORT"]

        HTTP_ENV_VARS               CGI/1.1
        ["GATEWAY_INTERFACE"]

        HTTP_ENV_VARS["PWD"]        /root/webmin-0.84/apache/

        HTTP_ENV_VARS               Mozilla/5.0 (X11; U; Linux 2.4.2 i686;
        en-US;
        ["HTTP_USER_AGENT"]         rv:0.9) Gecko/20010505

        HTTP_ENV_VARS["PATH_INFO"]

        HTTP_ENV_VARS               http://localhost:10000/apache/
        ["HTTP_REFERER"]

                HTTP_ENV_VARS["HTTP_HOST"]  localhost:10000

        HTTP_ENV_VARS               Basic YWRtaW46ZGF2ZQ==
        ["HTTP_AUTHORIZATION"]

        HTTP_ENV_VARS               keep-alive
        ["HTTP_CONNECTION"]

        HTTP_ENV_VARS["WEBMIN_VAR"] /var/webmin

        HTTP_ENV_VARS               gzip,deflate,compress,identity
        ["HTTP_ACCEPT_ENCODING"]

        HTTP_ENV_VARS               /root/webmin-0.84
        ["SERVER_ROOT"]

        ....

    This is also a problem with  newer versions.  While it now  uses a
    Cookie to  save authorization  information, this  cookie is passed
    to  apache  as   environment  variable  and   could  be   queried,
    environment variable is:

        HTTP_COOKIE=sid=1054633991

    If you have this  session id, you can  attach to a running  webmin
    session easily (for instance if the administrator forgot to logoff
    and just quitted his browser or has it still open).

Solution

    For Caldera:

        ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS/webmin-0.749-7.i386.rpm
        ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS/webmin-0.749-7.src.rpm
        ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS/webmin-0.78-11.i386.rpm
        ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS/webmin-0.78-11.src.rpm


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH