Webmin Environment Variable Information Disclosure Vulnerability

Webmin is a web-based interface for system administration for Unix. Using any browser that supports tables and forms, you can setup user accounts, Apache, DNS, file sharing and so on.

Webmin consists of a simple web server, and a number of CGI programs which directly update system files like /etc/inetd.conf and /etc/passwd. The web server and all CGI programs are written in Perl version 5, and use no external modules. This means that you only need a Perl binary to run Webmin.

Versions of Webmin prior to the current release (0.85) fail to properly delete sensitive information stored in certain environment variables.

One such variable contains webmin's administrator login ID and password in mime 64 encoded form. An attacker may trivially read and decode this information, and exploit it to further compromise the host's security, potentially obtaining root privilege.


Privacy Statement
Copyright 2010, SecurityFocus