Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Backdoor found in webmin (via sourceforge)
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Backdoor found in webmin (via sourceforge)

https://www.zdnet.com/article/backdoor-found-in-webmin-a-popular-web-based-utility-for-managing-unix-servers/

Worth an audit, though I can imagine most folks are using github as a source.

͡⚆ ͜ʖ ͡⚆                 LE

Comments

  • sanvitsanvit Member
    edited August 2019

    The bad news is that the hacker responsible for compromising Webmin's build infrastructure appears to have tried to change the default state of the password expiration feature in Webmin 1.890, when it turned this feature on by default for all Webmin users.

    However, the modification was sloppy, and caused errors for some users, who reported the issue to Webmin admins, who then reverted back to the previous off-by-default state with the next release.

    So the devs either knew someone changed the default settings but didn't took any attempt to analyze the cause of it, or didn't know what defaults were shipped on the first place? Both sounds pretty bad to me :(

  • Thanked by 2vimalware ITLabs

    "Linux will run happily with only 4 MB of RAM, including all of the bells and whistles such as the X Window System, Emacs, and so on." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 32)

Sign In or Register to comment.