Security

This page lists security problems found in Virtualmin and Cloudmin, versions affected, and recommended mitigation or solutions.

Authentic theme privilege escalation bug in Webmin 1.801

Logged in Webmin/Virtualmin users with access to Authentic theme could use a spoofed referer header and a hand-crafted link to edit files as the root user.

  • Reported by: Internal Audit
  • Reported on: August 10, 2016
  • Vulnerable versions: Webmin 1.801 and lower.
  • Resolution: Upgrade to Webmin 1.810 or above.

Authentic theme remote root exploit in two development Webmin releases (1.794 and 1.795)

Authentic theme, as included in two Webmin devel releases (1.794 and 1.795) failed to properly sanitize user input, allowing arbitrary code execution on unauthenticated requests. There was a recently added feature in the theme (specifically a login notifications feature); it was added since Authentic Theme was last audited for security. This bug did not ship with any Webmin stable release, but because it happened to coincide with several updates for Let's Encrypt support and Ubuntu 16.04 bug fixes. we had rolled these devel versions into the Virtualmin repos. The feature in question accepts user-provided data for inclusion in the email notification, which allowed code execution through use of shell backticks.

The offending feature has been removed and replaced by core Webmin functionality that is not subject to security concerns.

  • Reported by: Peter Bryant at RimuHosting
  • Reported on: May 25, 2016
  • Vulnerable versions: Webmin 1.795 and lower.
  • Resolution: Upgrade to Webmin 1.800 or above.

File operations as root user in user-writable locations.

Several file operations in Virtualmin were performed in user home directories as the root, making it possible for a user to construct hard links to override system permissions on sensitive files. Effected features included Backup and Restore, Protected Web Directories, Spamassassin Mail Filter, Read User Mail, and Manage PHP Configuration.

  • Reported by: Patrick Williams of RACK911Labs.com
  • Reported on: December 1, 2014
  • Vulnerable versions: 3.12 and lower and Webmin 1.710 and lower.
  • Resolution: Upgrade to Virtualmin version 3.13 or above and Webmin 1.720 or above.

Race condition file exposure of /etc/shadow

Permissions on a Webmin-created temporary file were readable by any user, leading to potential exposure of sensitive data.

  • Reported by: Patrick Williams of RACK911Labs.com
  • Reported on: December 1, 2014
  • Vulnerable versions: 3.12 and lower.
  • Resolution: Upgrade to Virtualmin version 3.13 or above and Webmin 1.720 or above.