Webmin Backdoored for Over a Year

Webmin, the open source web-based interface for managing Linux and UNIX systems, contained a remote code execution vulnerability for more than a year and it’s believed to be an intentional backdoor.

The vulnerability, tracked as CVE-2019-15107, was disclosed at the recent DEFCON hacker conference, and Webmin developers were not notified of its existence before the details were made public.

The flaw is related to a feature designed for changing expired passwords and it allows a remote, unauthenticated attacker to execute ar ..