From: Marcus Meissner <Marcus.Meissner@caldera.de> To: announce@lists.caldera.com, users@lists.caldera.com Subject: Security: CSSA-2001-019.0: webmin may leak root account information Date: Wed, 30 May 2001 17:49:39 +0200 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: webmin root account leak Advisory number: CSSA-2001-019.0 Issue date: 2001 May, 30 Cross reference: ______________________________________________________________________________ 1. Problem Description When starting system daemons from the webmin webfrontend, webmin does not clear its environment variables. Since these variables contain the authorization of the administrator, any daemon gets these variables. If the apache web server has been (re)started from webmin, a simple attack would be to write a CGI scripts which just dumps all environment variables, which contain the root password in a base64 encoded string. This is just a preliminary advisory until we have fixed packages available. 2. Vulnerable Versions System Package ----------------------------------------------------------- OpenLinux 2.3 not vulnerable OpenLinux eServer 2.3.1 All webmin packages. and OpenLinux eBuilder OpenLinux eDesktop 2.4 All webmin packages. 3. Solution Workaround Disable the webmin service until fixed packages are available. Reboot your machine to make sure all daemons are restarted without tainted environment variables, or at least run as root: /etc/rc.d/init.d/httpd stop /etc/rc.d/init.d/httpd start to avoid trivial exploits. We will release fixed packages in the next few days. 4. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. 5. Acknowledgements: Caldera International does acknowledge J. Nick Koston for reporting the problem, but would appreciate if vendors would get notified first before posting to BugTraq. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7FRYJ18sy83A/qfwRAjHeAJ9VzIKZR0aBrFBilQgk/WePVt1fVQCdEAXH wrDu8oI2Z7jShz9XsPLEosg= =sF1+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: announce-unsubscribe@lists.caldera.com For additional commands, e-mail: announce-help@lists.caldera.com