Webmin security vulnerabilities

Webmin is a web based interface for the system administrator for Unix/Linux server. Webmin allows to setup user account, apache, DNS, file sharing and much more. You can also edit configuration files like /etc/passwd and access your server from the console.

Recently there were two security vulnerabilities discovered in Webmail 1.670. Following are the list of Webmin security vulnerabilities.

[1] Webmin – PHP Config Hardlink Arbitrary File Access

It is possible for a malicious user to view any file on the server, including root owned files, by using a hardlink pointing to the user PHP config file and then editing the configuration within Webmin.

[2] Webmin – Statistics Hardlink Arbitrary File Access

It is possible for a malicious user to view any file on the server, including root owned files, by using a hardlink pointing to the Webalizer and AwStats statistics files and then accessing the features within Webmin.

Since it is possible to obtain sensitive information, both Webmin security vulnerabilities were rated as high.

Fixed Version:

This vulnerability was patched in Webmin 1.680.

Both Webmin security vulnerabilities were discovered by Rack911 – Server management and server security company. It is strongly recommended that you upgrade your version to Webmin 1.680.