Mamwe mazuva apfuura vhezheni itsva yeWebmin yakaburitswa kuitira kudzikisira kusagadzikana kunoonekwa senge backdoor (CVE-2019-15107), inowanikwa mune yepamutemo shanduro dzechirongwa, icho chinogoverwa kuburikidza neSourceforge.
Yakawanikwa yekumashure yaivapo mushanduro kubva muna 1.882 kusvika muna 1.921 inosanganisirwa (pakanga pasina kodhi ine backdoor mune iyo git repository) uye iwe waibvumidzwa kuteedzera zvekupokana zveShell mirairo pane mudzi-wakarongeka sisitimu iri kure pasina chokwadi.
Nezve Webmin
Kune avo vasingazive nezveWebmin vanofanira kuziva izvozvo Iyi iwebhu-based control panel yekudzora Linux masisitimu. Inopa inonzwisisika uye nyore kushandisa interface kugadzirisa server yako. Dzazvino shanduro dzeWebmin dzinogona zvakare kuiswa uye kumhanya pane Windows masystem.
NaWebmin, unogona kushandura zvakajairika mapakeji pasuru pane inobhururuka, inosanganisira web server uye dhatabhesi, pamwe nekugadzirisa vashandisi, mapoka, uye mapakeji esoftware.
Webmin inobvumira mushandisi kuti aone mashandiro ari kuita, pamwe neruzivo nezve mapakeji akaiswa, gadzirisa system log mafaera, gadzirisa mafaira ekugadzirisa enetiweki interface, wedzera firewall mitemo, gadzirisa nguva yenguva uye system wachi, wedzera maprinta kuburikidza neCUPS, runyorwa rwakaisa maPerl module, gadzira SSH kana Server DHCP, uye DNS dhata rekodhi maneja.
Webmin 1.930 inosvika kuzobvisa iro backdoor
Iyo nyowani vhezheni yeWebmin vhezheni 1.930 yakaburitswa kuti igadzirise kure kure kuitisa kodhi kuitisa. Uku kunetseka kwave kuwanikwa pachena kushandisa ma module, chii inoisa mazhinji masisitimu eUNIX manejimendi panjodzi.
Yekuchengetedza chengetedzo inoratidza kuti vhezheni 1.890 (CVE-2019-15231) iri panjodzi mukumisikidza kwekumisikidza, nepo dzimwe shanduro dzakakanganiswa dzichida kuti sarudzo "chinja mushandisi password" inogoneswa.
Nezve kusagadzikana
Anorwisa anogona kutumira yakaipa http chikumbiro kune iyo password reset reset fomu fomu kubaya kodhi uye kutora webmin webhu kunyorera. Zvinoenderana neshumo rekushupika, anorwisa haadi zita rekushandisa kana password kuti ashandise chikanganiso ichi.
Kuvapo kwechimiro ichi kunoreva kuti eUku kunetseka kungave kuripo muWebmin kubvira Chikunguru 2018.
Kurwisa kunoda kuvepo kweyakavhurika network network neWebmin uye chiitiko muwebhu interface yebasa kushandura password yechinyakare (nekumisikidza inogoneswa muna 1.890 inovaka, asi yakaremara mune dzimwe shanduro).
Dambudziko rakagadziriswa mukugadzirisa 1.930.
Dambudziko rakawanikwa mu password_change.cgi script, mune iyo unix_crypt basa rinoshandiswa kuongorora iro rekare password rakapinda muwebhu fomu, iyo inotumira iyo password inogamuchirwa kubva kumushandisi isingatize yakasarudzika mavara.
Mune iyo git repository, iri basa chinongedzo paCrypt :: UnixCrypt module uye haina ngozi, asi mu sourceforge faira yakapihwa nekodhi, kodhi inodaidzwa kuti inosvika zvakananga / etc / mumvuri, asi inoita saizvozvo neiyo shell kuvaka.
Kurwisa, ingo ratidza chiratidzo «|» mumunda ne password yekare uye inotevera kodhi inomhanya ine midzi yerombo pane server.
Zvinoenderana neshoko kubva kune vanogadzira Webmin, iyo yakaipa code yakange ichitsiva nekuda kwekukanganisa kwezvivakwa zveprojekti.
Tsananguro haisati yaziviswa, saka hazvizivikanwe kana kubiridzira kwacho kwaingogumira pakutora account kuSourceforge kana ikabata zvimwe zvinhu zvegungano reWebmin nekusimudzira zvivakwa.
Nyaya yacho yakabatawo Usermin inovaka. Parizvino mafaera ese ebhutsu anovakwazve kubva kuGit.