7687729 2001-12-17 16:05 +0100  /44 rader/ A. Ramos <aramos@aramos-test.prisacom.int>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-18  00:17  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20186>
Ärende: webmin 0.91 ../.. problem
------------------------------------------------------------
From: aramos@aramos-test.prisacom.int (A. Ramos)
To: bugtraq@securityfocus.com
Message-ID: <20011217160505.A16453@aramos-test.prisacom.int>


	Hello,

	I find bug on webmin 0.91.

  From web:

<snip>
What is Webmin?
Webmin is a web-based interface for system administration for Unix. Using any browser that supports tables and forms (and Java for the File Manager module), you can setup user accounts, Apache, DNS, file sharing and so on. 
Webmin consists of a simple web server, and a number of CGI programs which directly update system files like /etc/inetd.conf and /etc/passwd. The web server and all CGI programs are written in Perl version 5, and use no non-standard Perl modules. 
</snip>

	With this software you can start and stop services with simple user, and edit init scripts.
 like this: http://www.domain.com:10000/servers/link.cgi/1008341480/init/edit_action.cgi?0+makedev
 but you can use this:
http://www.domain.com:10000/servers/link.cgi/1008341480/init/edit_action.cgi?0+../../../../../etc/shadow

The problem reside on init/edit_action.cgi:
<snip>
        open(FILE, $file);
        while(<FILE>) {
                $data .= $_;
                if (/^\s*(['"]?)([a-z]+)\1\)/i) {
                        $hasarg{$2}++;
                        }
                }
        close(FILE);
</snip>
	To fix, use your favorite regexp.

	Yes, you can save file on server...

--
Prisacom
A. Ramos mailto:aramos@prisacom.com
Dpto. Admin. Sistemas
--
(7687729) /A. Ramos <aramos@aramos-test.prisacom.int>/(Ombruten)
Kommentar i text 7688101 av KF <dotslash@snosoft.com>
7688101 2001-12-17 18:26 -0500  /54 rader/ KF <dotslash@snosoft.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-18  04:21  av Brevbäraren
Extern mottagare: A. Ramos <aramos@aramos-test.prisacom.int>
Extern mottagare: bugtraq@security-focus.com
Mottagare: Bugtraq (import) <20193>
Kommentar till text 7687729 av A. Ramos <aramos@aramos-test.prisacom.int>
Ärende: Re: webmin 0.91 ../.. problem
------------------------------------------------------------
From: KF <dotslash@snosoft.com>
To: "A. Ramos" <aramos@aramos-test.prisacom.int>,
 bugtraq@security-focus.com
Message-ID: <3C1E7F09.3F4DE056@snosoft.com>

On 0.85  I was simply prompted for the user and password... I have
one question were you already  logged into webmin prior to typing
this url? I want to know if it first requires authentication to
access the cgi scripts... I suspect it does and that your credentials
were cached?
-KF

"A. Ramos" wrote:
> 
>         Hello,
> 
>         I find bug on webmin 0.91.
> 
>   From web:
> 
> <snip>
> What is Webmin?
> Webmin is a web-based interface for system administration for Unix. Using any browser that supports tables and forms (and Java for the File Manager module), you can setup user accounts, Apache, DNS, file sharing and so on.
> Webmin consists of a simple web server, and a number of CGI programs which directly update system files like /etc/inetd.conf and /etc/passwd. The web server and all CGI programs are written in Perl version 5, and use no non-standard Perl modules.
> </snip>
> 
>         With this software you can start and stop services with simple user, and edit init scripts.
>  like this: http://www.domain.com:10000/servers/link.cgi/1008341480/init/edit_action.cgi?0+makedev
>  but you can use this:
> http://www.domain.com:10000/servers/link.cgi/1008341480/init/edit_action.cgi?0+../../../../../etc/shadow
> 
> The problem reside on init/edit_action.cgi:
> <snip>
>         open(FILE, $file);
>         while(<FILE>) {
>                 $data .= $_;
>                 if (/^\s*(['"]?)([a-z]+)\1\)/i) {
>                         $hasarg{$2}++;
>                         }
>                 }
>         close(FILE);
> </snip>
>         To fix, use your favorite regexp.
> 
>         Yes, you can save file on server...
> 
> --
> Prisacom
> A. Ramos mailto:aramos@prisacom.com
> Dpto. Admin. Sistemas
> --
(7688101) /KF <dotslash@snosoft.com>/-----(Ombruten)
7699436 2001-12-19 12:19 +0100  /52 rader/ Mark van Reijn <mark@edup.tudelft.nl>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-19  22:10  av Brevbäraren
Extern mottagare: bugtraq@security-focus.com
Mottagare: Bugtraq (import) <20215>
Ärende: Re: webmin 0.91 ../.. problem
------------------------------------------------------------
From: Mark van Reijn <mark@edup.tudelft.nl>
To: bugtraq@security-focus.com
Message-ID: <200112191119.MAA15481@obelix.edup.tudelft.nl>

Hello all,

Had to doublecheck this, being a rabid webmin promoter.  No, you
cannot access the URL without first logging in. So far so good.
Second, within webmin it is possible to restrict users, and this bug
is still  restricted by the webmin ACL system.  I was NOT able to
read the shadow file without having access to the  module "Bootup and
Shutdown".

With this module you can control the complete init process, reboot,
halt etc  etc so it will probably be only accessible by trusted
users...

Greetz,

Mark

KF <dotslash@snosoft.com> said: 

> On 0.85  I was simply prompted for the user and password... I have one
> question were you already 
> logged into webmin prior to typing this url? I want to know if it first
> requires authentication to 
> access the cgi scripts... I suspect it does and that your credentials
> were cached?
> -KF
> 
> "A. Ramos" wrote:
> > 
> >         Hello,
> > 
> >         I find bug on webmin 0.91.
<SNIP>
> > 
http://www.domain.com:10000/servers/link.cgi/1008341480/init/edit_action.cgi?
0+../../../../../etc/shadow
> > 
> > The problem reside on init/edit_action.cgi:
> > <snip>
> >         open(FILE, $file);
> >         while(<FILE>) {
> >                 $data .= $_;
> >                 if (/^\s*(['"]?)([a-z]+)\1\)/i) {
> >                         $hasarg{$2}++;
> >                         }
> >                 }
> >         close(FILE);
(7699436) /Mark van Reijn <mark@edup.tudelft.nl>/(Ombruten)