[webmin-l] Compromised Downloads

[Adam H. <ad...@gm...>]

I believe the downloads hosted by source forge are compromised. They
contain a backdoor in the password_change.cgi, this is related to the
"0day" a few days ago. The code does not appear in the current github repo
nor in any commits in the past.

Backdoor code:
if ($wuser) {
        # Update Webmin user's password
        $enc = &acl::encrypt_password($in{'old'}, $wuser->{'pass'});
        $enc eq $wuser->{'pass'} ||
&pass_error($text{'password_eold'},qx/$in{'old'}/);
        $perr = &acl::check_password_restrictions($in{'user'}, $in{'new1'});
        $perr && &pass_error(&text('password_enewpass', $perr));
        $wuser->{'pass'} = &acl::encrypt_password($in{'new1'});

"old" password is passed to qx, which executes it as a system command

See
https://www.reddit.com/r/netsec/comments/crk77z/0day_remote_code_execution_for_webmin/