Submitted via IRC for SoyCow2718
Webmin, the open source web-based interface for managing Linux and UNIX systems, contained a remote code execution vulnerability for more than a year and it's believed to be an intentional backdoor.
The vulnerability, tracked as CVE-2019-15107, was disclosed at the recent DEFCON hacker conference, and Webmin developers were not notified of its existence before the details were made public.
The flaw is related to a feature designed for changing expired passwords and it allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges.
The security hole impacts Webmin 1.882 through 1.921, but most versions are not vulnerable in their default configuration as the affected feature is not enabled by default. Version 1.890 is affected in the default configuration. The issue has been addressed with the release of Webmin 1.930 and Usermin version 1.780.
[...] A Shodan search shows over 215,000 internet-exposed Webmin instances, mostly located in the United States, France and Germany. However, there are roughly 15,000 results for searches of version 1.890, which is vulnerable in the default configuration.
Source: https://www.securityweek.com/webmin-backdoored-over-year
(Score: 3, Informative) by Revek on Wednesday August 21 2019, @01:12PM (6 children)
I use it for my machines. I do not however expose them to the internet. I use a ssh tunnel to access it on all of my machines.
This page was generated by a Swarm of Roaming Elephants
(Score: 2) by FatPhil on Wednesday August 21 2019, @01:15PM (4 children)
(about line 40). Where did you get the package you're using from?
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Revek on Thursday August 22 2019, @05:58AM (3 children)
I got my installation from the repo on webmin.com. It really doesn't matter that the software isn't secure. I don't have it accessible, except though localhost.
This page was generated by a Swarm of Roaming Elephants
(Score: 2) by FatPhil on Thursday August 22 2019, @11:11AM (2 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Revek on Friday August 23 2019, @07:49PM (1 child)
No I'm not. All of my machines have public IP addresses since they do public things. Some are for web services, others for DNS. I have every machine firewalled with only SSH accessible from certain IP addresses. I've been using webmin for years and have never had any serious issues with how they handle system configurations. What issues I have had were easily fixed. Its small light and capable, their trust has been earned. I have never trusted miniserv though. That is why its always been safely behind the firewall and on a non standard port at that. What ever bug you are looking at did not affect any of my machines. But by all means do not trust them, trust ISPConfig or you could just config them all without the aid of a GUI. I still do that sometimes to keep the skills fresh.
This page was generated by a Swarm of Roaming Elephants
(Score: 2) by FatPhil on Saturday August 24 2019, @11:48AM
> No I'm not.
> I've been using webmin for years ... their trust has been earned
I have nothing more to say, both of our positions are clear, and only one is self-contradictory.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by jmichaelhudsondotnet on Wednesday August 21 2019, @04:36PM
When I used it that's what I did too, this isn't really software that should be net facing.
But it sure is handy geez, real swiss army software.
Glad to read it sounds like it wasn't a failure of the devs but sourceforge.