New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
As long as it isn't your only defense.
I didn't like that new theme. Eye candy that runs quite a bit slower than the classic theme. Ended up switching back.
hadn't heard of this exploit, thanks for the info. We've got a few servers running webmin for a few clients. Guess we have some work to do about this. Guess we didn't read up on our webmin lately
We're aware of the sluggishness; on slow networks and slow client machines it can be annoying. I travel full-time, so my Internet is 3G/4G, often quite slow, so I experience slowdowns more than most.
We'll keep maintaining the old theme for a while (probably another six months or so, until we branch Webmin 2.0), but we're also working to improve the responsiveness of the new theme. It looks a lot nicer, IMHO, and it improves usability in more than a few places. So, it's worth working on making it fast enough even on slow links and slow clients. The previous theme was 9 years old, and was intended as a stop gap until we could afford to hire a front end developer/designer...we never made enough money to hire a front end developer, so it never happened until Ilia came along and started doing the work for free. He's on the payroll now (for a small amount, as we still don't make enough money to have any full-time employees except Eric, who does support for our Pro customers). I believe some of those speed ups are already in 18.00, or coming in an update soon.
We always welcome help with stuff like that. Our budget is tiny, and our available time small (we all have other work to make ends meet).
Anyway, I think the exploit is mostly limited to Virtualmin users. The number of downloads of the effected devel versions of Webmin, 1.794 and 1.795, is pretty low (in the low thousands, not counting those from Virtualmin.com). I'm looking at the previous stable release, 1.791, at the moment, and while it has a version of Authentic with the ill-advised notifications feature (which is now removed and will come back in Webmin core, where it belongs), it does not include the dangerous bug. So, you probably aren't vulnerable even if you're using Webmin and Authentic, unless you have Virtualmin or Cloudmin systems updated within the past month, or so.
You should still upgrade, of course. I'm not confident there aren't other problems with those notifications happening in the theme (it's just the wrong place for that functionality to exist because of how much exposure the theme has to unauthenticated requests).
We'll be more careful about dropping new versions of Authentic into the repo, but this bug never made it into a stable release. It's just an unfortunate accident that Virtualmin users got these releases; there were Let's Encrypt updates and Ubuntu 16.04 updates that people were clamoring for, so we rolled devel versions for Virtualmin, which we rarely do.
Cheers,
Joe