Submitted via IRC for SoyCow2718
Webmin, the open source web-based interface for managing Linux and UNIX systems, contained a remote code execution vulnerability for more than a year and it's believed to be an intentional backdoor.
The vulnerability, tracked as CVE-2019-15107, was disclosed at the recent DEFCON hacker conference, and Webmin developers were not notified of its existence before the details were made public.
The flaw is related to a feature designed for changing expired passwords and it allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges.
The security hole impacts Webmin 1.882 through 1.921, but most versions are not vulnerable in their default configuration as the affected feature is not enabled by default. Version 1.890 is affected in the default configuration. The issue has been addressed with the release of Webmin 1.930 and Usermin version 1.780.
[...] A Shodan search shows over 215,000 internet-exposed Webmin instances, mostly located in the United States, France and Germany. However, there are roughly 15,000 results for searches of version 1.890, which is vulnerable in the default configuration.
Source: https://www.securityweek.com/webmin-backdoored-over-year
(Score: 2) by FatPhil on Thursday August 22 2019, @11:11AM (2 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Revek on Friday August 23 2019, @07:49PM (1 child)
No I'm not. All of my machines have public IP addresses since they do public things. Some are for web services, others for DNS. I have every machine firewalled with only SSH accessible from certain IP addresses. I've been using webmin for years and have never had any serious issues with how they handle system configurations. What issues I have had were easily fixed. Its small light and capable, their trust has been earned. I have never trusted miniserv though. That is why its always been safely behind the firewall and on a non standard port at that. What ever bug you are looking at did not affect any of my machines. But by all means do not trust them, trust ISPConfig or you could just config them all without the aid of a GUI. I still do that sometimes to keep the skills fresh.
This page was generated by a Swarm of Roaming Elephants
(Score: 2) by FatPhil on Saturday August 24 2019, @11:48AM
> No I'm not.
> I've been using webmin for years ... their trust has been earned
I have nothing more to say, both of our positions are clear, and only one is self-contradictory.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves