Potentialy dangerous web UI behaviour

Submitted by george.asenov on Tue, 07/05/2016 - 01:16

Hello,

Here is something that i think is there for a very long time. This include the web interface for virtualmin, webmin, cloudmin. The issue is when you execute some command and leave the status report open and restart browser. When the browser (Google Chrome in my case) start again the command get executed again. Imagine that this is for example machine reboot or VPS shutdown command or worse delete command...

Probably the browser remembers the post parameters and execute them again after the browser restart i do not know but i think this should be prevented.

Status: 
Closed (fixed)

Comments

Submitted by JamieCameron on Tue, 07/05/2016 - 03:58

Are any of the pages on which you're seeing this submitted via GET? Because a browser should never re-submit a POST form without user confirmation for exactly the reason you described - which is why all actions in Virtualmin / Cloudmin that make changes use POST forms.

Submitted by JamieCameron on Tue, 07/05/2016 - 20:01

I mean, which action in Virtualmin got repeated when the page was re-opened?

Submitted by george.asenov on Wed, 07/06/2016 - 02:58

One example is when restart virtual server in cloudmin. The restart happens and shows the log but if you restart the browser it get done again. This was the reason to write this report actually. But in the past i think this happens if your install updates and leave the successful installation page open and restart browser it trays to restart the installation but yum fails because it is already done.

Submitted by JamieCameron on Wed, 07/06/2016 - 04:55

I just checked, and all reboots are done using POST forms.

Submitted by george.asenov on Wed, 07/06/2016 - 05:58

Hi again,

I made some tests and this link:

https://serverhostname:10000/server-manager/save_serv.cgi?id=14266834528...

is left in the right frame after the command restart is completed. But executed with the button "Reboot Now" which is shown after resource change is done (RAM limit change in this example). I think if I execute this command with the right referrer it will do all - reboot and confirm.

How to reproduce: 1. choose virtual machine 2. go to Resources > Resource Limits 3. change something (I changed the "Maximum memory allocation") 4. hit "save" 5. hit "Reboot Now" 6. wait for the reboot to complete and do not touch anything. 7. restart browser and restore tabs and viola the virtual machine got rebooted once again.

The previous screen (before hitting the "reboot now" button) of the right frame is also worth it: https://serverhostname:10000/server-manager/save_limits.cgi?id=142668345...

Submitted by JamieCameron on Wed, 07/06/2016 - 08:59

Ah, I forgot about that case - this will be fixed to use POST in the next release of Cloudmin.

Submitted by JamieCameron on Wed, 07/06/2016 - 09:00

Status: Active ยป Fixed

Submitted by andreychek on Mon, 12/18/2017 - 10:29

Hmm, it sounds like you're using Webmin there, rather than Cloudmin?

We changed the Cloudmin behavior after that issue occurred, though it sounds like the issue you're seeing is with Webmin itself within the "init" module. Though we'll fix that too, just verifying we're looking into the right thing :-)

Submitted by b2bexpress on Tue, 12/19/2017 - 08:27

this evening, I have upgrade to wbm-virtual-server.noarch 2:6.02.gpl-1, and keep monitoring if the error happen again, I will note it here in 2 days.

Submitted by JamieCameron on Tue, 12/19/2017 - 17:43

By the way, this does look like a bug if the reboot page being refreshed re-triggers the reboot. I'll fix that in the next webmin release.

Submitted by b2bexpress on Sun, 12/24/2017 - 08:30

hi, Sir, after checked several times, this issue was fixed. didn't happen again. thanks!