Flawed code traced to home build system, vulnerability can be attacked in certain configs
The maintainers of Webmin – an open-source application for system administration tasks on Unix-flavored systems – have released Webmin version 1.930 and the related Usermin version 1.780 to patch a vulnerability that can be exploited to achieve remote code execution in certain configurations.
Joe Cooper, one of the contributing developers, announced the patch in a blog post over the weekend.
"This release addresses CVE-2019-15107, which was disclosed earlier today," Cooper said. "We received no advance notification of it, which is unusual and unethical on the part of the researcher who discovered it. But, in such cases there's nothing we can do but fix it ASAP."
The patch also deals with several XSS issues that were responsibly disclosed, he said, noting that a bounty has been paid to the researcher who reported them.
The bug at issue is a command injection flaw in the &unix_crypt function used in the password_change.cgi file, used to check the password against the system's /etc/shadow file. By adding a pipe command ("|"), an attacker can execute remote code.
To be vulnerable, Cooper said, the Perl-based software must have the Webmin -> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one.
"This option is not set by default, but if it is set, it allows remote code execution," he said.