New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Webmin (CVE-2019-15107) - Zero Day Remote Exploit
We have been made aware of a remote exploit in Webmin 1.920 (latest) that would allow users to run arbitrary commands.
The function that is being exploited is related to the user password change that appears to be enabled by default. It is recommended that you disable that function and also temporarily disable password_change.cgi at the file system level until a patch has been released.
Please monitor the change log for updates:
http://www.webmin.com/changes.html
At the time of writing this, no patch has been issued to our knowledge!
source : RACK911 Labs security mail
Comments
They patched it and the update will be released in a few hours. https://sourceforge.net/p/webadmin/discussion/600155/thread/60975bddad/
It's enabled by default
It's concerning that a developer of Webmin doesn't even know what defaults they deliver, or even checking it before commenting.
Similar to cPanel the developers didn’t know that somehow the dB of default backup system can be corrupted and it will be impossible to backup any accounts on cPanel server
No, it isn't, and hasn't been for years, if not forever. What makes you think it is?
Perhaps I'm mistaken. Are we talking about the facility "Change Password" for users to change their password in Usermin? (I guess not.)
It's probably easier to just link to the Webmin forum post: https://www.virtualmin.com/node/66890
Ah, okay, I hadn't yet looked more closely at the matter, but it's really the option "Prompt users with expired passwords to enter a new one" that needs to be set for the exploit to be carried out, and this option is indeed not set by default.
Initially, it sounded as though the exploit simply required the facility "Change Password" to be enabled for users (which is enabled by default), but this facility alone isn't sufficient for the exploit to be carried out.
Yes, I just read the release and breathed some relief.
I actually had fun Sunday plans. 😅
And don't forget to update Usermin as well:
Webmin -> Usermin Configuration -> Upgrade Usermin
Just a heads-up:
According to the main Webmin web page, http://webmin.com/index.html , Usermin has been updated to v1.780, but according to the Usermin web page, http://webmin.com/usermin.html , Usermin is still at v1.770. Presumably, this is a temporary discrepancy, so one should look/try again later in the day or tomorrow.
So far, I was able to update from Usermin v1.760 to v1.770.
I'm guessing it's not enabled by default in the upstream package. But as you very well know, various distributions like to make changes when they package the software.
No, at least for my installations. You have to enable it manually.
I just update it and it went to 1.780. Maybe they are on updating all of their servers containing the installation files atm?
@FHR, @jvnadr: See my comment above ( https://www.lowendtalk.com/discussion/comment/3013323/#Comment_3013323 )
@jvnadr: Will try Usermin again -- I was probably a bit early.
I still can't update to v1.780. Oh, well, I'll recheck later.
This is the reason i love Webmin and more VirtualMin. Long live Virtualmin!
Which developer are you referring to?
Just as a follow-up: today, I was able to update to v1.780.