New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Backdoor found in webmin (via sourceforge)
Worth an audit, though I can imagine most folks are using github as a source.
Comments
The bad news is that the hacker responsible for compromising Webmin's build infrastructure appears to have tried to change the default state of the password expiration feature in Webmin 1.890, when it turned this feature on by default for all Webmin users.
However, the modification was sloppy, and caused errors for some users, who reported the issue to Webmin admins, who then reverted back to the previous off-by-default state with the next release.
So the devs either knew someone changed the default settings but didn't took any attempt to analyze the cause of it, or didn't know what defaults were shipped on the first place? Both sounds pretty bad to me
https://www.lowendtalk.com/discussion/159757/webmin-cve-2019-15107-zero-day-remote-exploit
(Not sure that we need a new thread about this)