Bug#271590: webmin security hole.

To: Andy Baxter <andy@earthsong.free-online.co.uk>
Cc: 271590@bugs.debian.org
Subject: Bug#271590: webmin security hole.
From: "Jaldhar H. Vyas" <jaldhar@debian.org>
Date: Sat, 25 Sep 2004 12:00:03 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.4.58.0409251157460.23333@diku.intranet.braincells.com>
Reply-to: "Jaldhar H. Vyas" <jaldhar@debian.org>, 271590@bugs.debian.org
In-reply-to: <200409141850.45822.andy@earthsong.free-online.co.uk>
References: <200409140127.46723.andy@earthsong.free-online.co.uk> <Pine.LNX.4.58.0409131936360.18181@diku.intranet.braincells.com> <200409141850.45822.andy@earthsong.free-online.co.uk>

On Tue, 14 Sep 2004, Andy Baxter wrote:

> I just found out that this attack (using a local document) only works because
> webmin has 'allow unknown referers' set by default in the 'trusted referers'
> section of the webmin config. With this turned off, the attack doesn't work
> at all, so maybe it should be set that way by default?
>

Thanks to Debians' email server imploding I only just got this.  I'll add
it to the next update.

-- 
Jaldhar H. Vyas <jaldhar@debian.org>
La Salle Debain - http://www.braincells.com/debian/

Reply to:

Prev by Date: Bug#102921: can this be ture?
Next by Date: Bug#273377: webmin: Static SSL cert/key pair
Previous by thread: Bug#102921: can this be ture?
Next by thread: Bug#273377: webmin: Static SSL cert/key pair
Index(es):
- Date
- Thread