Open Source Webmin had Backdoor for More Than a Year

By Swapnil Bhartiya

The researcher who found the vulnerability didn’t inform the project, leaving users open to attacks.

Webmin developer's have disclosed the critical zero-day vulnerability found last week wasn’t a flaw; it was planted by a hacker.

Someone planted a backdoor into the build infrastructure of Webmin, and it remained undetected through version 1.882 to 1.921.

Researcher Özkan Mustafa Akkuş who discovered the vulnerability, did not inform the project about the backdoor and publicly disclosed it at DefCon.

Joe Cooper, one of Webmin's developers, called it an unethical practice, giving the project no time to work on a fix to protect users.

Akkuş also released a Metasploit module to exploit the vulnerability.

Webmin developers fixed the flaw by removing the backdoor. Webmin is a popular open-source web-based application for managing Unix-based systems.

08/28/2019

Related content

News for Admins
In the news: Code execution flaws in PHP; ESET finds malware that targets political activists; bluetooth vulnerability makes spying easy; and open source webmin had backdoor for more than a year;

more »
Webmin 2.0 Released

more »
FBI Refuses to Release the Tool Used to Hack Terrorist’s iPhone

more »
My Five Favorite Sys Admin Tools
I've written hundreds of articles over the past two decades, and I always seem to come back to a single theme: sys admin tools. I have five favorite tools that have not only stood the test of time but have also served me well in every job I've held, including when I ran my own computer consulting company.

more »
A TurnKey Linux software evaluation platform
TurnKey Linux comes with more than 100 of the most important free enterprise solutions to create a test environment for evaluating new open source system or business software on a local system, on a virtual machine, or in the cloud.

more »