Subscribe via feed.

Webmin 1.900 Remote Command Execution

Posted by deepcore on January 19, 2019 – 9:51 am

This Metasploit module exploits an arbitrary command execution vulnerability in Webmin versions 1.900 and below. Any user authorized to the “Java file manager” and “Upload and Download” fields, to execute arbitrary commands with root privileges. In addition, “Running Processes” field must be authorized to discover the directory to be uploaded. A vulnerable file can be printed on the original files of the Webmin application. The vulnerable file we are uploading should be integrated with the application. Therefore, a “.cgi” file with the vulnerability belong to webmin application should be used. The module has been tested successfully with Webmin version 1.900 over Debian 4.9.18.


This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.