![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Marcus Meissner <Marcus.Meissner@caldera.de>
To: announce@lists.caldera.com, users@lists.caldera.com
Subject: Security: CSSA-2001-019.0: webmin may leak root account information
Date: Wed, 30 May 2001 17:49:39 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: webmin root account leak
Advisory number: CSSA-2001-019.0
Issue date: 2001 May, 30
Cross reference:
______________________________________________________________________________
1. Problem Description
When starting system daemons from the webmin webfrontend, webmin
does not clear its environment variables. Since these variables
contain the authorization of the administrator, any daemon gets
these variables.
If the apache web server has been (re)started from webmin, a simple
attack would be to write a CGI scripts which just dumps all environment
variables, which contain the root password in a base64 encoded string.
This is just a preliminary advisory until we have fixed packages
available.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux 2.3 not vulnerable
OpenLinux eServer 2.3.1 All webmin packages.
and OpenLinux eBuilder
OpenLinux eDesktop 2.4 All webmin packages.
3. Solution
Workaround
Disable the webmin service until fixed packages are available.
Reboot your machine to make sure all daemons are restarted without
tainted environment variables, or at least run as root:
/etc/rc.d/init.d/httpd stop
/etc/rc.d/init.d/httpd start
to avoid trivial exploits.
We will release fixed packages in the next few days.
4. Disclaimer
Caldera International, Inc. is not responsible for the misuse of
any of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera OpenLinux.
5. Acknowledgements:
Caldera International does acknowledge J. Nick Koston for reporting
the problem, but would appreciate if vendors would get notified first
before posting to BugTraq.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7FRYJ18sy83A/qfwRAjHeAJ9VzIKZR0aBrFBilQgk/WePVt1fVQCdEAXH
wrDu8oI2Z7jShz9XsPLEosg=
=sF1+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@lists.caldera.com
For additional commands, e-mail: announce-help@lists.caldera.com