Open Source Forge - www.osforge.com [ Webmin: Multiple vulnerabilities ]

Root
Contribute News
Learning Corner
Linux Distributions
Linux Common FAQ's
Discussion Forums
Community Gallery
Links Directory
Search OSForge

Networking
Industry Updates
Linux & Open Source
Opinions
Press Release
Programming
Security
Web Development
White Paper

Plat'Home Unveils Winners of “Will Linux Work?” Contest

Zenoss Core Recognized as Best Open Source Network Monitoring Solution

LinMin™ Joins Intel® Certified Software Solutions Program

xTuple™ ERP 3.0 Wins “Best Business Application” At LinuxWorld Conference & Exp

Holland Computing Center - Rocks+Moab Provides Windows/Linux Cluster Solution

LogMeIn Launches Mobile Plug-in for Linux

FuseMail Selects Funambol’s Open Source Push Email and PIM Sync Solution

Zenoss Expands IT Management Solution for Managed Service Providers

Moab Workload Manager Claims Title as World’s First Petaflop Scheduler

View More �

Webmin: Multiple vulnerabilities

By : Ewdison Then [www]

on Security
Tuesday the 26th, March 2002 at 05:08 PM (EST)

Readers TalkBack (0) - 467 Reads

Printable format
Foward to Email

Insecure default permissions and unauthorized access vulnerabilities have been fixed.

Date: Thu, 21 Mar 2002 10:01:21 +1200 (NZST)
From: advisory@prophecy.net.nz
To: bugtraq@securityfocus.com
Subject: Local privalege escalation issues with Webmin 0.92

18-02-02 -- advisory@prophecy.net.nz


About Webmin:
-------------
"Webmin is a web-based interface for system administration for Unix. Using
any browser that supports tables and forms (and Java for the File Manager
module), you can setup user accounts, Apache, DNS, file sharing and so
on."



Problem #1:
-----------
Version 0.92-1 of Webmin (when installed by rpm) leaves insecure
permissions on the /var/webmin directory.
This means that if command logging within webmin is enabled, any local
user
can read the /var/webmin/webmin.log file and retrieve the root users
sid (cookie session id).
It is trivial to then create a faked local cookie using this session-id,
and log directly into webmin as root.


Problem #2:
-----------
If a semi-trusted colleague is given a restricted level of
access to some Webmin functions, specifically sendmail, then
malicious code can be inserted into certain files
that would result in revealing roots webmin sid (cookie session id)
when the root user visits the related page in webmin.


Example Exploit:
----------------
Insert the following line into the virtusers file, and wait for the root
user to visit that page: Or the following into the /etc/aliases file:

Potentially more likely to be exploited however, would be a malicious local user who has _no_ access to webmin,
who could change a file that webmin views through the HTML interface (where the code being read in is not checked for HTML).
An example would be changing their 'real name' in /etc/passwd to be something along the lines of:(Although chfn doesn't let 
you specify a username this long, but you get the idea.) This same problem exists in pretty much most parts of webmin, where 
files (or command output like 'ps') is read in and displayed in the web interface. Solution: --------- Upgrade to the latest 
version of Webmin (0.93), which fixes these issues (as well as a couple of others apparently). 
Available from: http://www.webmin.com/download.html 
 
 Thanks to: 
 ---------- 
 Harry Metcalfe <harrym@the-group.org> - for giving me the original idea about ways to steal cookies from webpages. 
 Jamie Cameron <jcameron@webmin.com> - for listening to me and making an effort to keep in touch as he fixed the problem(s).

Reader Rating from 1-5

Talkback

Post Your Talkback | View All Talkback (0 Posted)

Currently there are no Talkback posted on "Webmin: Multiple vulnerabilities", Click here to be the first to post a talkback.


About \| Term of Use \| Privacy \| Contact us \| Tell a Friend \| Advertise	OSForge News RSS Feed