Webmin password_change.cgi backdoor

Added: 08/26/2019

Background

Webmin is a web-based interface for system administration of Unix systems. The Webmin web server listens by default on port 10000/tcp.

Problem

A backdoor in Webmin allows a remote attacker to execute arbitrary commands by sending a POST request for password_change.cgi with a specially crafted old parameter.

Resolution

Upgrade to Webmin 1.930 or higher.

References

http://www.webmin.com/exploit.html
https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html

Limitations

Versions other than 1.890 are only affected if changing of expired passwords is enabled, which is not the case by default.
Back to exploit index