Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Adminware, Control Panels :: webmin~1.htm

webmin 0.84 leaves its login/password in a MIME encoded environment variable



    webmin 0.84


    J. Nick Koston found following.  Webmin doesn't seem to clean  the
    env  properly  when  starting  apache  (probably in other cases as

    It leaves the var HTTP_AUTHORIZATION set.   All you need to do  is
    run it though a mime 64 decode and you have the login and password
    to webmin (it  also leaves SERVER_PORT  set so there  should be no
    problem figuring out where the webmin is).

    You can best see the effects by:

        1. Kill Apache
        2. Start Apache will webmin
        3. Goto a <?php phpinfo() ?> page and look at the vars

    Snip from phpinfo (some vars removed to protect the innocent):


                 Variable                                Value

        PHP_SELF                    /test.php

        HTTP_SERVER_VARS            /usr/local/apache/htdocs

        HTTP_SERVER_VARS            text/*, image/*, audio/*, application/*

        HTTP_SERVER_VARS            gzip, compress, bzip, bzip2, deflate

        HTTP_SERVER_VARS            en; q=1.0

        HTTP_SERVER_VARS            localhost

        HTTP_SERVER_VARS            w3m/0.2.1



        HTTP_SERVER_VARS            56523

        HTTP_SERVER_VARS            /usr/local/apache/htdocs/test.php


        HTTP_SERVER_VARS            80

        HTTP_SERVER_VARS            Apache/1.3.17 (Unix) PHP/4.0.4pl1

        HTTP_SERVER_VARS            CGI/1.1

        HTTP_SERVER_VARS            HTTP/1.0

        HTTP_SERVER_VARS            GET


        HTTP_SERVER_VARS            /test.php

        HTTP_SERVER_VARS            /usr/local/apache/htdocs/test.php

        HTTP_SERVER_VARS            /test.php

        HTTP_SERVER_VARS["argv"]    Array

        HTTP_SERVER_VARS["argc"]    0

        HTTP_ENV_VARS               10000

        HTTP_ENV_VARS               CGI/1.1

        HTTP_ENV_VARS["PWD"]        /root/webmin-0.84/apache/

        HTTP_ENV_VARS               Mozilla/5.0 (X11; U; Linux 2.4.2 i686;
        ["HTTP_USER_AGENT"]         rv:0.9) Gecko/20010505


        HTTP_ENV_VARS               http://localhost:10000/apache/

                HTTP_ENV_VARS["HTTP_HOST"]  localhost:10000

        HTTP_ENV_VARS               Basic YWRtaW46ZGF2ZQ==

        HTTP_ENV_VARS               keep-alive

        HTTP_ENV_VARS["WEBMIN_VAR"] /var/webmin

        HTTP_ENV_VARS               gzip,deflate,compress,identity

        HTTP_ENV_VARS               /root/webmin-0.84


    This is also a problem with  newer versions.  While it now  uses a
    Cookie to  save authorization  information, this  cookie is passed
    to  apache  as   environment  variable  and   could  be   queried,
    environment variable is:


    If you have this  session id, you can  attach to a running  webmin
    session easily (for instance if the administrator forgot to logoff
    and just quitted his browser or has it still open).


    For Caldera:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH