| Date of the premiere of the system: | 1997/10/05 |
| Last Release Date: | 2019/08/20 |
| Technology: | ITSM - Management systems for IT service |
Webmin is the software package allowing to administer the operating system via the web interface, in most cases, allowing to do without use of the command line and storing of system level commands and their parameters.
2019: Version of Webmin 1.930
On August 20, 2019 it became known that in WEBMIN critical vulnerability is corrected.
For the first time the problem became known on August 10, however developers learned about it only a week later.
Developers of the open source application Webmin intended for administration of the Unix-like systems released the version of Webmin 1.930 and the related version of Usermin 1.780. Updating corrects critical vulnerability (CVE-2019-15107) allowing to execute far off the code at certain settings of the software configuration.
 | the Release corrects the disclosed vulnerability of CVE-2019-15107. We did not receive any prior notices of it that is very unusual and unethical from the researcher who detected it. However under these circumstances we remain nothing else, except how somewhat quicker to release correction, |  |
Vulnerability allows to implement commands before authentication passing. The problem is connected with use of qx//in one of function calls &unix_crypt (the line password_change.cgi:). As qx//is equivalent to forward quotes in//will be let into Perl, all data in a cover.
Vulnerability exists only at certain settings of the software configuration for Perl – if politicians of expiration of the password Webmin-> Webmin Configuration-> Authentication-> are set to Password on Prompt users with expired passwords to enter a new one ("prompt to the user with the expired password to enter new"). This option is not set by default, but if the user set it, perhaps remote accomplishment of the code.
The problem mentions all versions of Webmin, beginning from 1.882 and finishing 1.920. The version of Webmin 1.890 is vulnerable even at factory defaults of a configuration.
According to Cooper, the patch also corrects several XSS vulnerabilities which researchers announced orderly, what the monetary reward[1] was paid to them[2].
Notes
- ↑ [https://www.securitylab.ru/news/500513.php In Webmin
- ↑ for is corrected critical vulnerability]
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |