Hi all,
we are running webmin behind an apache reverse proxy for external access. The port for external access is different from the port webmin is bound to internally. Until 1.600 only had to set referers= to allow this kind of configuration.
Since 1.600 we had to add referer=1 to avoid forbidden referer errors. This will accept any external referers and disable XSS protection. Probably related to fixing this: Referer checks don't include port Affects Webmin versions up to 1.590. If an attacker has control over http://example.com/ , he could create a page with malicious Javascript that could take over a Webmin session at https://example.com:10000/ when http://example.com/ is viewed by the victim. Thanks to Marcin Teodorczyk for finding this issue.
Is there any way we can accept refereres from a specific domain but differing port?
Benjamin